Pharmaceutical procuct packaging

ABSTRACT

A method of producing pharmaceutical product packaging. The method includes, determining a serial number associated with a pharmaceutical product, generating, using the serial number, an identity, and generating, using the identity, a digital signature of at least part of the identity. The identity and signature are then used to generate coded data including a number of coded data portions, each coded data portion encoding the identity and at least part of the signature, the pharmaceutical product packaging being printed by printing at least some coded data, and at least one of the identity and the serial number.

FIELD OF THE INVENTION

The present invention broadly relates to a method and apparatus for theprotection of products and security documents using machine readabletags disposed on or in a surface of the product or security document.

CO-PENDING APPLICATIONS

The following applications have been filed by the Applicantsimultaneously with the present application: HYS001US HYS002US HYS003USHYS004US HYS005US HYP001US HYP003US HYP004US HYP005US HYN001US HYN002USHYN003US HYN004US HYN005US

The disclosures of these co-pending applications are incorporated hereinby reference. The above applications have been identified by theirfiling docket number, which will be substituted with the correspondingapplication number, once assigned.

CROSS-REFERENCES

Various methods, systems and apparatus relating to the present inventionare disclosed in the following co-pending applications and grantedpatents filed by the applicant or assignee of the present invention. Thedisclosures of all of these co-pending applications and granted patentsare incorporated herein by cross-reference. 6,795,215 10/884,881 PEC01NP09/575,109 10/296,535 09/575,110 6,805,419 09/607,985 6,398,3326,394,573 6,622,923 6,747,760 10/189,459 10/943,941 10/949,29410/727,181 10/727,162 10/727,163 10/727,245 10/727,204 10/727,23310/727,280 10/727,157 10/727,178 10/727,210 10/727,257 10/727,23810/727,251 10/727,159 10/727,180 10/727,179 10/727,192 10/727,27410/727,164 10/727,161 10/727,198 10/727,158 10/754,536 10/754,93810/727,227 10/727,160 10/934,720 10/854,521 10/854,522 10/854,48810/854,487 10/854,503 10/854,504 10/854,509 10/854,510 10/854,49610/854,497 10/854,495 10/854,498 10/854,511 10/854,512 10/854,52510/854,526 10/854,516 10/854,508 10/854,507 10/854,515 10/854,50610/854,505 10/854,493 10/854,494 10/854,489 10/854,490 10/854,49210/854,491 10/854,528 10/854,523 10/854,527 10/854,524 10/854,52010/854,514 10/854,519 PLT036US 10/854,499 10/854,501 10/854,50010/854,502 10/854,518 10/854,517 10/934,628 10/728,804 10/728,95210/728,806 10/728,834 10/729,790 10/728,884 10/728,970 10/728,78410/728,783 10/728,925 10/728,842 10/728,803 10/728,780 10/728,77910/773,189 10/773,204 10/773,198 10/773,199 10/773,190 10/773,20110/773,191 10/773,183 10/773,195 10/773,196 10/773,186 10/773,20010/773,185 10/773,192 10/773,197 10/773,203 10/773,187 10/773,20210/773,188 10/773,194 10/773,193 10/773,184 6,746,105 6,623,1016,406,129 6,505,916 6,457,809 6,550,895 6,457,812 6,428,133 09/575,14110/407,212 10/815,625 10/815,624 10/815628 09/517539 6566858 09/1127626331946 6246970 6442525 09/517384 09/505951 6374354 09/517608 09/5051476757832 6334190 6745331 09/517541 10/203559 10/203540 10/20356410/636263 10/636283 10/866608 10/902889 10/902883 10/940653 10/94285810/409876 10/409848 10/409845 09/575197 09/575195 09/575159 09/57513209/575123 6825945 09/575130 09/575165 6813039 09/693415 09/5751186824044 09/608970 09/575131 09/575116 6816274 NPA019NUS 09/57513909/575186 6681045 6678499 6679420 09/663599 09/607852 6728000 09/69321909/575145 09/607656 6813558 6766942 09/693515 09/663701 09/5751926720985 09/609303 09/610095 09/609596 09/693705 09/693647 09/72189509/721894 09/607843 09/693690 09/607605 09/608178 09/609553 09/60923309/609149 09/608022 09/575181 09/722174 09/721896 10/291522 671806110/291523 10/291471 10/291470 6825956 10/291481 10/291509 10/29182510/291519 10/291575 10/291557 10/291661 10/291558 10/291587 10/29181810/291576 6829387 6714678 6644545 6609653 6651879 10/291555 10/29151010/291592 10/291542 10/291820 10/291516 10/291,363 10/291487 10/29152010/291521 10/291556 10/291821 10/291525 10/291586 10/291822 10/29152410/291553 10/291511 10/291585 10/291374 10/685523 10/685583 10/68545510/685584 10/757600 10/804034 10/793933 10/853356 10/831232 10/88488210/943875 10/943938 10/943874 10/943872 10/944044 10/943942 10/94404310/949293 10/943877 10/965913 10/954170 NPA174US NPA175US NPA176USNPA177US NPA178US NPA179US NPA181US NPA182US NPA183US NPA184US NPA185USNPA186US NPA187US NPA188US 09/575193 09/575156 09/609232 09/6078446457883 09/693593 10/743671 NPB010US 09/928055 09/927684 09/92810809/927685 09/927809 09/575183 6789194 09/575150 6789191 10/90012910/900127 10/913328 10/913350 NPK010US NPK011US 6644642 6502614 66229996669385 6827116 10/933285 NPM016US 6549935 NPN004US 09/575187 67279966591884 6439706 6760119 09/575198 09/722148 09/722146 6826547 62903496428155 6785016 6831682 6741871 09/722171 09/721858 09/722142 10/17198710/202021 10/291724 10/291512 10/291554 10/659027 10/659026 10/83124210/884885 10/884883 10/901154 10/932044 NPP051US NPP052US NPP053US10/965733 10/965933 NPP058US NPP060US NPP061US NPP9062US 10/65902709/693301 09/575174 6822639 6474888 6627870 6724374 6788982 09/7221416788293 09/722147 6737591 09/722172 09/693514 6792165 09/722088 679559310/291823 6768821 10/291366 10/291503 336797895 10/274817 10/78289410/782895 10/778056 10/778058 10/778060 10/778059 10/778063 10/77806210/778061 10/778057 10/846895 10/917,468 10/917467 10/917466 10/91746510/917356 10/948169 10/948253 10/948157 10/917436 10/943856 10/91937910/943843 10/943878 10/943849 NPS086US 09/575154 09/575129 683019609/575188 09/721862 10/473747 10/120441 10/291577 10/291718 6,789,73110/291543 6766944 6766945 10/291715 10/291559 10/291660 10/40986410/309358 10/410484 10/884884 10/853379 10/786631 10/853782 10/89337210/893381 10/893382 10/893383 10/893384 NPT046US NPT047US NPT048USNPT049US NPT050US NPW001US 10/492,152 NPW003US NPW004US 10/492154NPW007US 10/683151 10/683040 NPW012US 10/919260 NPW013US 10/91926110/778090 09/575189 09/575162 09/575172 09/575170 09/575171 09/57516110/291716 10/291547 10/291538 6786397 10/291827 10/291548 10/29171410/291544 10/291541 10/291584 10/291579 10/291824 10/291713 10/29154510/291546 10/917355 10/913340 10/940668 NPX041US 6593166 10/42882310/849931 10/815621 10/815612 10/815630 10/815637 10/815638 10/81564010/815642 10/815643 10/815644 10/815618 10/815639 10/815635 10/81564710/815634 10/815632 10/815631 10/815648 10/815614 10/815645 10/81564610/815617 10/815620 10/815615 10/815613 10/815633 10/815619 10/81561610/815614 10/815636 10/815649 10/815609 10/815627 10/815626 10/81561010/815611 10/815623 10/815622 10/815629

Some application has been listed by docket numbers, these will bereplace when application number are known.

BACKGROUND

Pharmaceutical Counterfeiting

The pharmaceutical industry is large, and it has continued to growsteadily with worldwide sales reaching US$400 billion in 2002. Around20% of gross sales revenues are spent on R&D. The industry is alsoglobal, and its security structure is largely the result of the need toprotect massive R&D investments. Many Governments are large buyers ofpharmaceuticals in publicly-financed health care systems.

Pharmaceutical expenditure now represents about 15% of total healthexpenditure in Organization for Economic Co-operation and Development(OECD) nations. While trade and manufacturing activities are operatingat an international level, national authorities take into account theposition of their country within a global perspective when designingtheir national policies. There is also a need to balance global industryinterests with concerns for public health and safety.

In this environment there is a need to improve security of thepharmaceutical supply chain through:

-   -   Global trade regulation through International Trade Agreements        (ITAs),    -   Protection of R&D expenditure through patent activity, and    -   Concerns for public health and safety.

Global trade is regulated through ITAs and involves many public agenciespursuing multiple goals that relate to public health, industry and traderegulation, and security policies. The World Trade Organization (WTO) istherefore just one of the many organizations providing agreements ofspecific interest to the pharmaceutical industry.

The following Agreements highlight some of the WTO's key traderequirements now influencing the way the pharmaceutical industry isorganized.

Agreement on Rules of Origin: The rules of origin are the criterianeeded to determine the national origin of a product, and they arenecessary because goods may be subject to different discriminatorymeasures depending on their origin. Rules of origin are the criterianeeded to determine:

-   -   What imported products will receive most-favored nation        treatment or preferential treatment,    -   When to implement measures and instruments of commercial policy        such as anti-dumping duties and safeguard measures,    -   Trade statistics,    -   Labeling and ticketing requirements, and    -   Procedures for government procurement.

Agreement on Import Licensing Procedures: The agreement on importlicensing procedures requires governments to publish sufficientinformation for traders to know how and why the licenses are granted. Italso describes how countries should notify the WTO when they introducenew import licensing procedures, or change existing procedures.

Preshipment Inspection Agreement: The obligations that apply togovernments which use preshipment inspections include:

-   -   Non-discrimination,    -   Transparency,    -   Protection of confidential business information,    -   Avoiding unreasonable delay,    -   The use of specific guidelines for conducting price        verification, and    -   Avoiding conflicts of interest by the inspection agencies.

Agreement on Trade-Related Aspects of Intellectual Property Rights,Including Trade in Counterfeit Goods: The agreement recognizes thatwidely varying standards in the protection and enforcement ofintellectual property rights. The lack of a multilateral framework ofprinciples, rules and disciplines dealing with international trade incounterfeit goods has been a growing source of tension in internationaleconomic relations.

The above WTO provisions are just a few of the wide range of statutoryand regulatory requirements now governing the international and domestictrade behaviour of the pharmaceutical industry. They also highlight theimpending regulatory and statutory pressures likely to mandate the useof unique item identification.

An additional area that has always been of particular concern to theInternational AntiCounterfeiting Coalition (IACC) is the increasingavailability of counterfeit products that have caused and continue topresent threats to public health and safety. Given the heightenedawareness of the past two years, the IACC's concerns with respect topublic health and safety risk, have only increased. WHO estimates thatcounterfeit drugs account for ten percent of all pharmaceuticals, and ofthese 16% contain the wrong ingredients, with 60% having no activeingredients at all. That proportion of counterfeit drugs can rise to ashigh as 60% in developing countries.

In addition to using the pharmaceutical industry as a means to raisefunds, the potential exists for terrorists to use the commission of thecrime itself as a means of attack, for example by shipping counterfeitproduct containing deadly biotoxins. The United States Congressrecognizes the increasing role of organized crime and terrorist activityin the theft of intellectual property through Trademark misuse and drugcounterfeiting, and the threat that these pose for public health andsafety. Proceeds are often used to fund more violent activities. TheIACC have been tracking the influx of terrorist organizations intocriminal and counterfeiting and there is now ample evidence to suggestthat links exist.

It should also be noted here, that there is a significant overlapbetween security concerns and issues raised by the need to strengthenbrand protection. It is simply not possible for the pharmaceuticalindustry to effectively address all of the security and brand protectionconcerns raised without adopting an automated unique item identificationprocess to improve drug authentication, and to be able to activelymonitor the physical flow of goods from its source to the customer.

In view of pressures for the pharmaceutical industry to address securityand brand protection concerns, it becomes necessary to consider theadoption of new technologies. The two key capabilities required toimprove overall efficiency and to protect the supply chain, are trackand trace and product authentication.

While there are some compelling arguments supporting the introduction oftrack and trace, and product authentication solutions, there are alsocomplexities that need to be addressed.

Two fundamental goals of the pharmaceutical industry are consumer careand public safety. To achieve these goals in the United States, the FDAand individual states regulate the industry through laws andadministrative orders designed to protect the integrity of drugsthroughout the pharmaceutical supply chain. Implicit in the laws is theadministrative requirement for drug authentication and the ability to dotrack and trace.

Track and trace forms the foundation for improved patient safety bygiving manufacturers, distributors and pharmacies a systemic method todetect and control counterfeiting, drug diversions and mishandling.

The introduction of track and trace capabilities also introduces theconcept of a pedigree. Florida recently gained national attention byintroducing a legislative bill to establish a pedigree for each drugsold in the State. Although this bill has not yet become law, itsintention is to verify authenticity and reduce the risk of counterfeititems entering the supply chain. Specifically, the bill calls for thefollowing pedigree information to accompany each drug through all stepsof the supply chain:

-   -   Drug name,    -   Dosage,    -   Container size,    -   Number of containers,    -   Drug lots or control numbers,    -   Business name and address of all parties to each prior        transaction, starting with the manufacturer, and    -   The date of each previous transaction.

Other countries have also moved forward with pedigree regulations. Mostnotably the Italian government, with financial support from the EuropeanUnion, began to enforce the track and trace of pharmaceuticals with theBollini Law in 2000. This law requires the use of a special stickercontaining a serial number and a trace of all parties within the supplychain. However, this has created great difficulty for manufacturers anddistributors. As a result, the full implementation of the law will nottake place until June 2004 because of a lack of technology to handle thetask of recording and archiving the serial numbers. An additionalproblem is that the design specifications of the database structureneeded to support track and trace, have still not yet been determined.

Although the physical form of goods changes throughout manufacturing anddistribution, a link still exists for all raw materials and the workprocesses used to produce the finished goods. This type of linkdemonstrates inheritance of specific attributes. Each medicine used bythe patient has a specific lot number and expiration date printed on thecontainer. The drug is shipped on a identifiable truck, at a particulartemperature for a specific duration. The effectiveness of the medicineultimately depends on the quality of the manufacturing process and theenvironmental conditions of transport and storage. These are allinherited attributes that form the pedigree.

Organizing the large number of informational links for allpharmaceutical product items in the supply chain becomes complex. Tosimplify product data management, two additional concepts are required.These are data aggregation and data inheritance.

Data inheritance is the history of the parent data. It is the logicalequivalent of item aggregation or assembly. By viewing data within asupply chain as a series of parent-child relationships, track and tracebecomes possible. To reconstruct the history of an item, each change inform must transfer from parent to child.

Data aggregation joins linked or like data together to reduce the numberof readings at critical points within the supply chain, and thus makingthe capture of informational links needed for large-scale drugauthentication, and track and trace, more feasible. If data aggregationwere not possible, the identifiers for each product on the pallet wouldneed to be read, resulting in a number of additional reads, especiallywhen dealing with pallet level shipments.

To overcome the problems associated with the generation of a huge amountof product data, there is considerable interest in expanding orreplacing the Universal Product Code (UPC) now in use for barcodes. InNorth America a product is typically identified by a 12-digit UniversalProduct Code (UPC), and in Europe and other regions by a 13-digitEuropean Article Number (EAN) which are machine-readable product codesin the form of a printed 2D bar code. The Uniform Code Council (UCC) andEAN define and administer the UPC and related codes as subsets of the14-digit Global Trade Item Number (GTIN).

The Auto-ID Center has defined a standard for mapping of the GTIN intothe 96-bit Electronic Product Code (EPC) to help ensure compatibilitybetween the EPC and current practices. The MIT Auto-ID Center hasdeveloped a standard for a 96-bit Electronic Product Code (EPC), coupledwith an Internet-based Object Naming Service (ONS) and a Product MarkupLanguage (PML). Once an EPC is scanned, it is used to look up, via theONS, matching product information encoded in PML. The EPC consists of an8-bit header, a 28-bit object class, and a 36-bit serial number.Although EPCs can be encoded in many physical forms, and carried over arange of interfaces, the Auto-ID Center strongly advocate the benefitsof using low cost passive RFID tags to carry EPCs for individual itemidentification.

The appeal of an Auto-ID solution lies in the ability to use the EPC asa pointer to look up information about a drug that is contained in aremote database. The EPC acts as a persistent link to verify if the itemhas been legitimately obtained. This will act as a strong deterrent forfraud at many points along the supply chain. If and when a customerdecides to return an item, or if there is a suspected problem with thecontents, then there is a persistent link to information to validateproduct details. It prevents illegal returns, protects customers in theevent of medical problems resulting from product use—or misuse—and itmakes it possible to track customers and customized products that mightbe used by the wrong person and resulting in medical problems. Inventorycontrol and reordering functions will be far more reliable.

The item's EPC serves as a key into a distributed PML database whichrecords the characteristics of the item and its evolving history as itproceeds through the pharmaceutical supply chain. PML servers, locatedat each node of the supply chain, and secure Internet basedcommunication combine to provide the primary handling structure andmeans. Tracking of higher level units (e.g. pallet or shipping company,dispatch/order number and transport route) in the supply chain isimplicit. Readers installed at all transit entry and exit points can beused to automatically track movement and update dispatch logs at allpoints in the supply chain. Either the Internet or dedicated computernetworks can provide the communication links.

The hardware components for an Auto-ID solution are technologicallyfeasible with significant development having taken place during the pastseveral years. A number of vendors are capable of producing keyinfrastructure components to meet the specific requirements of thepharmaceutical industry.

Besides the proposed applications in improving track and trace, and drugauthentication, Auto-ID infrastructure also serves as the foundation forfuture applications of importance to the health care industry. Forexample, the Human Genome Project creates greater opportunities forengineering drugs to treat small groups of individuals that suffer fromspecific illnesses. These ‘designer drugs’ will be manufactured in smalllot sizes on a make to order basis. In this environment, logistics andcoordination takes on a new form as thousands of biotechnology drugsflood the pharmaceutical supply chain. Delivery of these new drugs tothe right group of people presents a challenge that the currentlogistical system may not handle effectively.

However, this new capability does have drawbacks: The task of handlingstreaming information for the estimated 6 billion individualpharmaceutical items sold in the United States last year alone, taxesthe capacity of the Internet or dedicated computer networks—even whenthe data aggregation and inheritance concepts are used. An additionalcomplexity is that the Auto-ID approach would have to be fine-tuned interms of information synchronisation among many different supply chainpartners to ensure a high level of reliability for pedigree and drugauthentication information. If a single supply chain partner did notproperly handle information, pedigrees might show gaps that would raisecounterfeit questions. The Auto-ID approach also assumes differententities within the pharmaceutical supply chain can achieve a commonlevel of cooperation in supporting this information infrastructure.

A further difficulty to overcome is that the Auto-ID approach assumesthat all drug manufacturers, carriers, wholesalers and pharmacies havethe necessary hardware and computing ability to read and process EPCinformation. It is therefore unrealistic to believe that this capabilitywill occur immediately.

Thus, it is likely that the pharmaceutical industry will continue toadopt an evolutionary approach to the standardisation of unique itemidentification technology throughout the manufacturing and supplychains. It is also likely that a range of technologies will need to beadopted and integrated to introduce incremental improvements in securityand supply chain efficiency.

Currently two main types of technologies offering alternative methods ofunique product item identification, such as EPCs, namely:

-   -   2D optical barcodes, and    -   Radio Frequency Identification tags (RFID).

A 2D optical barcode consists of a composite image that can store about2,000 bytes of data along two dimensions. The Uniform Code Council andEuropean Article Numbering (EAN) International have standardized a rangeof 2D barcodes, all with a significantly larger data capacity than theexisting EPC.

2D optical barcodes are now widely used in the global pharmaceuticalindustry. In the United States, the Food and Drug Administration (FDA)has mandated their use on all pharmaceutical goods manufactured withinits jurisdiction to identify product lines. The main advantage drivingtheir acceptance is that they are inexpensive to produce.

The main disadvantage of 2D optical barcodes is that they are oftendifficult to read due to label damage and a direct ‘line-of-sight’ isneeded for scanning. In addition to this, 2-D optical barcodes areunsightly and therefore detrimental to the packaging of the product.This problem is exacerbated in the case of pharmaceuticals, whichgenerally use small packaging, but require a relatively large bar-codewhich can therefore obscure a substantial part of the packaging.

An RFID tag is a technology that incorporates the use of electromagneticor electrostatic coupling to uniquely identify an object. It consists ofthree parts: antenna, transceiver, and transponder.

In the case of Pharmaceuticals RFID tags provide unique product itemidentification encoded in the form of an EPC. The pharmaceuticalindustry recognizes the many advantages of introducing accurate andreliable unique item identification technology. The expected advantagesinclude:

-   -   Dramatically eliminate inventory loss and write-offs due to        ‘shrinkage’,    -   Improve productivity in dispatch and receiving of goods,    -   Significantly reduce the time required to identify the location        of products for recall if required,    -   Provide an efficient basis for satisfying regulatory        requirements,    -   Increase assurance of shipment accuracy, and therefore reduce        the number of customer complaints, and    -   Provide a lot and expiration date tracking capability.

RFID tracking could be automated to help improve the integrity of thepharmaceutical supply chain. By identifying and tracking products in thesupply chain, companies can maintain a much tighter control overlegitimate shipments, and ensure that they are not hijacked or stolen.This can prevent products from falling into the hands of counterfeiters,who could dilute or alter the drugs, and then distribute them tounsuspecting pharmacies and customers. For this reason, many majorpharmaceutical companies, such as Johnson & Johnson and Eli Lilly andCompany, are now exploring the possibility of using RFID tags on alldrug shipments.

There are also regulatory requirements driving the adoption of RFIDtechnologies. The FDA plays a lead role in providing a forum andguidance for new technology adoption and is actively encouraging theimplementation of ways to authenticate prescription drugs through thesupply chain to ensure compliance and patient safety. Working withpharmaceutical companies and vendors of anti-counterfeit securitysystems, the FDA identifies technologies that are able to protect theindustry against various threats to customers and brand protection.Although it does not specify which technologies are able to respond tothe identified threats, it does specify the security features that needto be employed on the product packaging and shipping materials. TheHealthcare Distribution Management Association (HDMA) has alsorecommended that pharmaceutical manufacturers and wholesalers useproduct identifiers on cases by 2005, and that RFID tags at item levelshould be deployed by 2007.

Recently, the FDA has published a proposed rule referred to as ‘Bar CodeLabel Requirements for Human Drug Products and Blood FDA Proposed Rule(14 Mar., 2003). Bar Code Label Requirements for Human Drug Products andBlood, Federal Register (Vol. 68, No. 50) pp. 12499-12534. The proposedrule will require pharmaceutical companies to identify each drug, anddosage using linear barcodes. The need to include lot number andexpiration dates are still under consideration. Although the benefits ofusing unique item identification are now being considered, this is notlikely for some time as at present there are no suitable solutionsavailable.

However, in addition to the forecast benefits and regulatory pressuresfor RFID use, there are also some disadvantages that make RFID tagsunsuitable for some pharmaceutical products.

First, RFID tags are costly to produce. The current cost of producing anRFID is around 30-50 cents. While this cost can be significantly reducedonce high production volumes and wide acceptance have been achieved, itis unlikely that the cost will fall below 5 cents per RFID tag in theforeseeable future. There are also some additional costs associated withintegrating the RFID tags into packaging and labeling.

A further problem is that the presence of metals, liquids and otherelectromagnetic frequency (EMF) signals can interfere with RFID tagscanners, and thus seriously jeopardize the reliability and integrity ofthe RFID system. In the pharmaceutical industry, many radiopaquematerials are used in both the content and containers of goods. Toovercome this problem for RFID systems, it is necessary to splitindividual boxes of goods so that they can be conveyed past RFID tagreaders, making dock-to-dock transfers more time-consuming. Theserestrictions will also apply at item level at the point-of-sale (POS).This alone would make them unsuitable for large-scale deployment.

A third disadvantage of RFID tags concerns customer privacy. If, forexample, a terminally ill cancer patient collected their RFID taggedmorphine sulphate prescription, then it might be possible for a personto illegally use a scanning device to detect the nature of the contentsby reading an RFID tag without the knowledge of the owner.

Knowing the contents, that person may then decide to steal the goods.However, the risk can be reduced by ensuring that once an item has goneto a customer, access to information over the network is thendynamically altered and secured to protect personal information orproduct details. This could be done using virtual customer records thatcomply with emerging standards for managing and securing patientinformation folders (PIFs) for the healthcare system.

Collectively, these disadvantages mean that it is unlikely that RFIDtags will ever become suitable for all pharmaceutical or therapeuticitems, and as such will only ever be able to be deployed as analternative technology and adopted alongside some other form of productidentification system.

Surface Coding Background

The Netpage surface coding consists of a dense planar tiling of tags.Each tag encodes its own location in the plane. Each tag also encodes,in conjunction with adjacent tags, an identifier of the regioncontaining the tag. This region ID is unique among all regions. In theNetpage system the region typically corresponds to the entire extent ofthe tagged surface, such as one side of a sheet of paper.

The surface coding is designed so that an acquisition field of viewlarge enough to guarantee acquisition of an entire tag is large enoughto guarantee acquisition of the ID of the region containing the tag.Acquisition of the tag itself guarantees acquisition of the tag'stwo-dimensional position within the region, as well as othertag-specific data. The surface coding therefore allows a sensing deviceto acquire a region ID and a tag position during a purely localinteraction with a coded surface, e.g. during a “click” or tap on acoded surface with a pen.

The use of netpage surface coding is described in more detail in thefollowing copending patent applications, U.S. Ser. No. 10/815,647(docket number HYG001US), entitled “Obtaining Product Assistance” filedon 2^(nd) Apr. 2004; and U.S. Ser. No. 10/815,609 (docket numberHYT001US), entitled “Laser Scanner Device for Printed ProductIdentification Cod” filed on 2^(nd) Apr. 2004.

Cryptography Background

Cryptography is used to protect sensitive information, both in storageand in transit, and to authenticate parties to a transaction. There aretwo classes of cryptography in widespread use: secret-key cryptographyand public-key cryptography.

Secret-key cryptography, also referred to as symmetric cryptography,uses the same key to encrypt and decrypt a message. Two parties wishingto exchange messages must first arrange to securely exchange the secretkey.

Public-key cryptography, also referred to as asymmetric cryptography,uses two encryption keys. The two keys are mathematically related insuch a way that any message encrypted using one key can only bedecrypted using the other key. One of these keys is then published,while the other is kept private. They are referred to as the public andprivate key respectively. The public key is used to encrypt any messageintended for the holder of the private key. Once encrypted using thepublic key, a message can only be decrypted using the private key. Thustwo parties can securely exchange messages without first having toexchange a secret key. To ensure that the private key is secure, it isnormal for the holder of the private key to generate the public-privatekey pair.

Public-key cryptography can be used to create a digital signature. Ifthe holder of the private key creates a known hash of a message and thenencrypts the hash using the private key, then anyone can verify that theencrypted hash constitutes the “signature” of the holder of the privatekey with respect to that particular message, simply by decrypting theencrypted hash using the public key and verifying the hash against themessage. If the signature is appended to the message, then the recipientof the message can verify both that the message is genuine and that ithas not been altered in transit.

Secret-key can also be used to create a digital signature, but has thedisadvantage that signature verification can also be performed by aparty privy to the secret key.

To make public-key cryptography work, there has to be a way todistribute public keys which prevents impersonation. This is normallydone using certificates and certificate authorities. A certificateauthority is a trusted third party which authenticates the associationbetween a public key and a person's or other entity's identity. Thecertificate authority verifies the identity by examining identitydocuments etc., and then creates and signs a digital certificatecontaining the identity details and public key. Anyone who trusts thecertificate authority can use the public key in the certificate with ahigh degree of certainty that it is genuine. They just have to verifythat the certificate has indeed been signed by the certificateauthority, whose public key is well-known.

To achieve comparable security to secret-key cryptography, public-keycryptography utilises key lengths an order of magnitude larger, i.e. afew thousand bits compared with a few hundred bits.

Schneier B. (Applied Cryptography, Second Edition, John Wiley & Sons1996) provides a detailed discussion of cryptographic techniques.

SUMMARY OF THE INVENTION

In a first broad form the invention provides a transaction terminal forperforming transactions relating to a pharmaceutical product, thepharmaceutical product being associated with packaging having disposedthereon or therein coded data including a number of coded data portions,each coded data portion being indicative of an identity of thepharmaceutical product, the transaction terminal including: a radiationsource for exposing at least one coded data portion; a sensor forsensing the at least one exposed coded data portion; and, a processorfor: determining, using the at least one sensed coded data portion, asensed identity; and, performing the transaction using the sensedidentity.

Optionally, the processor uses the identity to perform at least one of:authentication of the pharmaceutical product; approval of thetransaction; determination of transaction details; and, updating oftracking information relating to the pharmaceutical product.

Optionally, the transaction terminal is at least one of: a cashregister; a vending machine; a supermarket checkout; a handheld scannerattached to a computer system.

Optionally, the identity is formed at least in part from at least oneof: a serial number of the pharmaceutical product; an identity of thepharmaceutical product; an EPC; an identity of the packaging; and, anidentity of a region of the packaging.

Optionally, coded data portion is indicative of at least part of asignature, the signature being a digital signature of at least part ofthe identity, and wherein the processor: determines, using the at leastone sensed coded data portion, at least one sensed signature part;causes authentication of the pharmaceutical product using the sensedidentity and the at least one sensed signature part.

Optionally, the processor: generates indicating data at least partiallyindicative of the sensed identity and the at least one sensed signaturepart; and, transfers the indicating data to a computer system, thecomputer system being responsive to the indicating data to: determine,using the indicating data, the sensed identity and the at least onesensed signature part; and, authenticate the pharmaceutical productusing the sensed identity and the at least one sensed signature part.

Optionally, the pharmaceutical product is authenticated by at least oneof the processor and a computer system, which: determines, using thesensed identity, a key; determines, using the sensed identity and thekey, a determined signature; and, compares the at least one sensedsignature part and the determined signature to thereby authenticate thepharmaceutical product.

Optionally, the entire signature is encoded within a plurality of codeddata portions, the processor determines, from a plurality of sensedcoded data portions, a sensed signature, and wherein pharmaceuticalproduct is authenticated by at least one of the processor, and acomputer system, which: determines, using the sensed identity, a key;determines, using the sensed signature and the key, a determinedidentity; and, compares the determined identity and the sensed identityto thereby authenticate the pharmaceutical product.

Optionally, the coded data includes a plurality of layouts, each layoutdefining the position of a plurality of first symbols encoding theidentity, and a plurality of second symbols defining at least part ofthe signature.

Optionally, the transaction terminal includes a communication system forcommunicating with a database, the database storing data relating thepharmaceutical product, including at least one of: authentication data,including at least a key associated with a signature, the signaturebeing a digital signature of at least part of the identity; trackingdata, the tracking data being at least partially indicative of trackinginformation including at least one of: an owner of the pharmaceuticalproduct; one or more transactions performed using the pharmaceuticalproduct; a location of the pharmaceutical product; and, a location ofthe sensing device. product data, the product data being at leastpartially indicative of product information including at least one of: aproduct cost; a patient identifier; a user identifier; an owneridentifier; manufacture date; batch number; product manufacturer;product distributor; product supplier; issue country; ingredients;storage conditions; disposal conditions; serial number; expiry date;effects; side-effects; conditions for use; instructions for use; linksto further information; contra-indications; and, dosage.

Optionally, the transaction terminal includes a display for displayingat least one of: results of authentication; tracking information; and,product information.

Optionally, the coded data is substantially invisible to an unaidedhuman.

Optionally, the coded data is printed on the surface using at least oneof: an invisible ink; and, an infrared-absorptive ink.

Optionally, the coded data is provided substantially coincident withvisible human-readable information.

Optionally, the coded includes a number of coded data portions, andwherein at least some of the coded data portions encode at least one of:a location of the respective coded data portion; a position of therespective coded data portion on the surface; a size of the coded dataportions; a signature part; a size of a signature; an identity of asignature part; units of indicated locations; and, at least part of adata object, the entire data object being encoded at least once by aplurality of coded data portions.

Optionally, the data object includes at least one of: MultipurposeInternet Mail Extensions (MIME) data; text data; image data; audio data;video data; application data; contact data; information; business carddata; and, directory data.

Optionally, the coded data includes at least one of: redundant data;data allowing error correction; Reed-Solomon data; and, CyclicRedundancy Check (CRC) data.

Optionally, the digital signature includes at least one of: a randomnumber associated with the identity; a keyed hash of at least theidentity; a keyed hash of at least the identity produced using a privatekey, and verifiable using a corresponding public key; cipher-textproduced by encrypting at least the identity; cipher-text produced byencrypting at least the identity and a random number; and, cipher-textproduced using a private key, and verifiable using a correspondingpublic key.

Optionally, the coded data is arranged in accordance with at least onelayout having n-fold rotational symmetry, where n is at least two, thelayout including n identical sub-layouts rotated 1/n revolutions apartabout a centre of rotation, at least one sub-layout includingrotation-indicating data that distinguishes that sub-layout from eachother sub-layout.

Optionally, the coded data is arranged in accordance with at least onelayout having n-fold rotational symmetry, where n is at least two, thelayout encoding orientation-indicating data comprising a sequence of aninteger multiple m of n symbols, where m is one or more, each encodedsymbol being distributed at n locations about a centre of rotationalsymmetry of the layout such that decoding the symbols at each of the norientations of the layout produces n representations of theorientation-indicating data, each representation comprising a differentcyclic shift of the orientation-indicating data and being indicative ofthe degree of rotation of the layout.

Optionally, the transaction terminal includes a printer for printing thepackaging, the printer being for: determining visible information to beprovided on the packaging; determining an identity associated with thepharmaceutical product; generating coded data using the identity; and,printing the packaging by printing the coded data and the visibleinformation.

Optionally, the transaction terminal further performs a method ofallowing a user to interact with the pharmaceutical product, the methodincluding, in a computer system: receiving indicating data from asensing device, the sensing device being responsive to sensing of thecoded data to generate indicating data at least partially indicative ofthe identity; determining, using the indicating data, at least oneaction; and, performing the action associated with the pharmaceuticalproduct, the action including at least one of: providing information toa user; updating tracking information relating to the pharmaceuticalproduct; performing a transaction relating to the pharmaceuticalproduct; authenticating the pharmaceutical product; and, receivingfeedback from the user.

Optionally, the transaction terminal further performs a method forauthenticating the pharmaceutical product, each coded data portion beingfurther indicative of a signature, the signature being a digitalsignature of at least part of the identity and being encoded within aplurality of coded data portions, wherein the method includes: in asensing device: sensing at least one coded data portion; and,generating, using the sensed coded data portion, indicating dataindicative of: the identity; and, the at least one signature part; in aprocessor: determining, from the indicating data: a determined identity;and, at least one determined signature part; authenticating thepharmaceutical product using the determined identity and the at leastone determined signature part.

Optionally, the transaction terminal further performs a method forauthenticating the pharmaceutical product, each coded data portion beingfurther indicative a signature, the signature being a digital signatureof at least part of the identity, wherein the method includes, in acomputer system: receiving indicating data from a sensing device, thesensing device being responsive to sensing of the coded data to generateindicating data at least partially indicative of: the identity of thepharmaceutical product; and, the signature part; determining, from theindicating data: a determined identity; and, at least one determinedsignature part; authenticating the pharmaceutical product using thedetermined identity and the at least one determined signature part.

Optionally, the transaction terminal further performs a method ofdetermining a possible duplication of pharmaceutical product packaging,wherein the method includes, in a computer system: receiving indicatingdata from a sensing device, the sensing device being responsive tosensing of the coded data to generate indicating data indicative of theidentity; determining, from the indicating data, a determined identity;accessing, using the determined identity, tracking data relating to thepharmaceutical product, the tracking data being at least partiallyindicative of the location of the pharmaceutical product; and,determining, using the tracking data, if the pharmaceutical product is apossible duplicate.

Optionally, the transaction terminal further performs a method oftracking the pharmaceutical product, the method including, in a computersystem: receiving indicating data from a sensing device, the sensingdevice being responsive to sensing of the coded data to generateindicating data indicative of the identity of the product item; and,updating, using the received indicating data, tracking data at leastpartially indicative of tracking information.

Optionally, the transaction terminal further performs a method ofproducing pharmaceutical product packaging, wherein the method includes,in a computer system: determining a serial number associated with thepharmaceutical product; generating, using the serial number, anidentity; generating, using the identity, a signature; causinggeneration of coded data using the identity, the coded data including anumber of coded data portions, each coded data portion encoding theidentity; and, at least part of the signature, the signature being adigital signature of at least part of the identity; causing printing of,on the pharmaceutical product packaging: at least some coded data, andat least one of: the identity; and, the serial number.

Optionally, the transaction terminal further performs a method ofdispensing the pharmaceutical product, the method including, in acomputer system: receiving indicating data from a sensing device, thesensing device being responsive to sensing of the coded data to generateindicating data at least partially indicative of the identity;determining, using the indicating data and from a dispensing database,at least one criterion for dispensing the pharmaceutical product; and,causing the pharmaceutical product to be dispensed if the at least onecriterion is satisfied.

Optionally, the transaction terminal further includes a sensing devicefor use with the pharmaceutical product, the sensing device including: ahousing adapted to be held by a user in use; a radiation source forexposing at least one coded data portion; a sensor for sensing the atleast one exposed coded data portion; and, a processor for determining,using the at least one sensed coded data portion, a sensed identity. Ina second broad form the invention provides a printer for printingpackaging associated with a pharmaceutical product, the printer beingfor: determining visible information to be provided on the packaging;determining an identity associated with the pharmaceutical product;generating coded data using the identity, the coded data including anumber of coded data portions, each coded data portion being indicativeof at least the identity of the pharmaceutical product; and, printingthe packaging by printing the coded data and the visible information.

Optionally, each coded data portion is indicative of at least part of asignature, the signature being a digital signature of at least part ofthe identity, and wherein the printer: determines the signature; and,generates the coded data using the signature.

Optionally, printer includes: a secure data store data; and, a processorwhich generates the signature using data stored in the data store.

Optionally, the printer encodes the entire signature within a pluralityof coded data portions.

Optionally, the printer: determines a layout, the layout being at leastone of: a coded data layout, the layout being indicative of the positionof each coded data portion on the packaging; and, a documentdescription, the document description being indicative of the positionof the visible information on the packaging; and, prints, using thelayout, at least one of the coded data and the visible information.

Optionally, the printer includes a communication system forcommunicating with a database, the database storing data relating thepharmaceutical product, including at least one of: authentication data,including at least a key associated with a signature, the signaturebeing a digital signature of at least part of the identity; trackingdata, the tracking data being at least partially indicative of trackinginformation including at least one of: an owner of the pharmaceuticalproduct; one or more transactions performed using the pharmaceuticalproduct; a location of the pharmaceutical product; and, a location ofthe sensing device; and, product data, the product data being at leastpartially indicative of product information including at least one of: aproduct cost; a patient identifier; a user identifier; an owneridentifier; manufacture date; batch number; product manufacturer;product distributor; product supplier; issue country; ingredients;storage conditions; disposal conditions; serial number; expiry date;effects; side-effects; conditions for use; instructions for use; linksto further information; contra-indications; and, dosage.

Optionally, the printer, at least one of: updates at least some of thedata relating to the pharmaceutical product; and, generates the codeddata using at least some of the data relating to the pharmaceuticalproduct.

Optionally, the identity is formed at least in part from at least oneof: a serial number of the pharmaceutical product; an identity of thepharmaceutical product; an EPC; an identity of the packaging; and, anidentity of a region of the packaging.

Optionally, packaging includes at least one of: a blister pack; abottle; a bottle lid; a label; a box; and, a leaflet.

Optionally, the printer: receives the packaging; scans the packaging todetermine information indicative of at least one of: a source of thepharmaceutical product; a pharmaceutical product type; the identity ofthe pharmaceutical product; and, the serial number of the pharmaceuticalproduct; and, generates using the determined information, at least partof the coded data.

Optionally, the coded data is indicative of a plurality of referencepoints such that sensing of at least one coded data portion, by asensing device, allows for determination of at least one of: theidentity; at least one signature part; a position of the sensing devicerelative to the packaging; and, movement of the sensing device relativeto the packaging.

Optionally, the coded data is substantially invisible to an unaidedhuman.

Optionally, the coded data is printed on the surface using at least oneof: an invisible ink; and, an infrared-absorptive ink.

Optionally, the coded data is provided substantially coincident withvisible human-readable information.

Optionally, the coded includes a number of coded data portions, andwherein at least some of the coded data portions encode at least one of:a location of the respective coded data portion; a position of therespective coded data portion on the surface; a size of the coded dataportions; a signature part; a size of a signature; an identity of asignature part; units of indicated locations; and, at least part of adata object, the entire data object being encoded at least once by aplurality of coded data portions.

Optionally, the data object includes at least one of: MultipurposeInternet Mail Extensions (MIME) data; text data; image data; audio data;video data; application data; contact data; information; business carddata; and, directory data.

Optionally, the coded data includes at least one of: redundant data;data allowing error correction; Reed-Solomon data; and, CyclicRedundancy Check (CRC) data.

Optionally, the digital signature includes at least one of: a randomnumber associated with the identity; a keyed hash of at least theidentity; a keyed hash of at least the identity produced using a privatekey, and verifiable using a corresponding public key; cipher-textproduced by encrypting at least the identity; cipher-text produced byencrypting at least the identity and a random number; and, cipher-textproduced using a private key, and verifiable using a correspondingpublic key.

Optionally, the coded data is arranged in accordance with at least onelayout having n-fold rotational symmetry, where n is at least two, thelayout including n identical sub-layouts rotated 1/n revolutions apartabout a centre of rotation, at least one sub-layout includingrotation-indicating data that distinguishes that sub-layout from eachother sub-layout.

Optionally, the coded data is arranged in accordance with at least onelayout having n-fold rotational symmetry, where n is at least two, thelayout encoding orientation-indicating data comprising a sequence of aninteger multiple m of n symbols, where m is one or more, each encodedsymbol being distributed at n locations about a centre of rotationalsymmetry of the layout such that decoding the symbols at each of the norientations of the layout produces n representations of theorientation-indicating data, each representation comprising a differentcyclic shift of the orientation-indicating data and being indicative ofthe degree of rotation of the layout.

Optionally, the printer includes a transaction terminal for performingtransactions relating to the pharmaceutical product, the transactionterminal including: a radiation source for exposing at least one codeddata portion; a sensor for sensing the at least one exposed coded dataportion; and, a processor for: determining, using the at least onesensed coded data portion, a sensed identity; and, performing thetransaction using the sensed identity.

Optionally, the printer further performs a method of allowing a user tointeract with the pharmaceutical product, the method including, in acomputer system: receiving indicating data from a sensing device, thesensing device being responsive to sensing of the coded data to generateindicating data at least partially indicative of the identity;determining, using the indicating data, at least one action; and,performing the action associated with the pharmaceutical product, theaction including at least one of: providing information to a user;updating tracking information relating to the pharmaceutical product;performing a transaction relating to the pharmaceutical product;authenticating the pharmaceutical product; and, receiving feedback fromthe user.

Optionally, the printer further performs a method for authenticating thepharmaceutical product, each coded data portion being further indicativeof a signature, the signature being a digital signature of at least partof the identity and being encoded within a plurality of coded dataportions, wherein the method includes: in a sensing device: sensing atleast one coded data portion; and, generating, using the sensed codeddata portion, indicating data indicative of: the identity; and, the atleast one signature part; in a processor: determining, from theindicating data: a determined identity; and, at least one determinedsignature part; authenticating the pharmaceutical product using thedetermined identity and the at least one determined signature part.

Optionally, the printer further performs a method for authenticating thepharmaceutical product, each coded data portion being further indicativeof a signature, the signature being a digital signature of at least partof the identity, wherein the method includes, in a computer system:receiving indicating data from a sensing device, the sensing devicebeing responsive to sensing of the coded data to generate indicatingdata at least partially indicative of: the identity of thepharmaceutical product; and, the signature part; determining, from theindicating data: a determined identity; and, at least one determinedsignature part; authenticating the pharmaceutical product using thedetermined identity and the at least one determined signature part.

Optionally, the printer further performs a method of determining apossible duplication of the packaging, wherein the method includes, in acomputer system: receiving indicating data from a sensing device, thesensing device being responsive to sensing of the coded data to generateindicating data indicative of the identity; determining, from theindicating data, a determined identity; accessing, using the determinedidentity, tracking data relating to the pharmaceutical product, thetracking data being at least partially indicative of the location of thepharmaceutical product; and, determining, using the tracking data, ifthe pharmaceutical product is a possible duplicate.

Optionally, the printer further performs a method of tracking thepharmaceutical product, the method including, in a computer system:receiving indicating data from a sensing device, the sensing devicebeing responsive to sensing of the coded data to generate indicatingdata indicative of the identity of the product item; and, updating,using the received indicating data, tracking data at least partiallyindicative of tracking information.

Optionally, the printer further performs a method of producing thepackaging, wherein the method includes, in a computer system:determining a serial number associated with a pharmaceutical product;generating, using the serial number, an identity; generating, using theidentity, a signature; causing generation of coded data using theidentity, the coded data including a number of coded data portions, eachcoded data portion encoding the identity; and, at least part of thesignature, the signature being a digital signature of at least part ofthe identity; causing printing of, on the pharmaceutical productpackaging: at least some coded data, and at least one of: the identity;and, the serial number.

Optionally, the printer further performs a method of dispensing thepharmaceutical product, the method including, in a computer system:receiving indicating data from a sensing device, the sensing devicebeing responsive to sensing of the coded data to generate indicatingdata at least partially indicative of the identity; determining, usingthe indicating data and from a dispensing database, at least onecriterion for dispensing the pharmaceutical product; and, causing thepharmaceutical product to be dispensed if the at least one criterion issatisfied.

Optionally, the printer further includes a sensing device for use withthe pharmaceutical product, the sensing device including: a housingadapted to be held by a user in use; a radiation source for exposing atleast one coded data portion; a sensor for sensing the at least oneexposed coded data portion; and, a processor for determining, using theat least one sensed coded data portion, a sensed identity. In a thirdbroad form the invention provides a method of allowing a user tointeract with a pharmaceutical product, the pharmaceutical product beingassociated with packaging having disposed thereon or therein coded data,at least some of the coded data being indicative of at least anidentity, the method including, in a computer system: receivingindicating data from a sensing device, the sensing device beingresponsive to sensing of the coded data to generate indicating data atleast partially indicative of the identity; determining, using theindicating data, at least one action; and, performing the actionassociated with the pharmaceutical product, the action including atleast one of: providing information to a user; updating trackinginformation relating to the pharmaceutical product; performing atransaction relating to the pharmaceutical product; authenticating thepharmaceutical product; and, receiving feedback from the user.

Optionally, the identity is formed at least in part from at least oneof: a coded data portion identity; an identity of the pharmaceuticalproduct; an EPC; an identity of the packaging; and, an identity of aregion of the packaging, the region being associated with a respectiveaction.

Optionally, the method includes, in the computer system: determining,using the indicating data, a description; and, determining, using thedescription, the action.

Optionally, the coded data is indicative of a plurality of referencepoints, the indicating data being at least partially indicative of atleast one of: a position of the sensing device relative to thepackaging; and, movement of the sensing device relative to thepackaging, and wherein the method includes, in the computer system:determining, using the indicating data, at least one of a determinedposition and determined movement; and, performing the action at least inpart based on at least one of the determined position and determinedmovement.

Optionally, the coded data includes a number of coded data portions,each coded data portion being indicative of at least part of asignature, the signature being a digital signature of at least part ofthe identity, wherein, in response to sensing of at least one coded dataportion, the sensing device generates indicating data at least partiallyindicative of at least one signature part, and wherein the methodincludes, in the computer system: determining, from the indicating data,a determined identity and at least one determined signature part; and,authenticating the pharmaceutical product using the determined identityand the at least one determined signature part.

Optionally, the entire signature is encoded within a plurality of codeddata portions and wherein the method includes, in the sensing device,sensing a number of coded data portions to thereby determine the entiresignature.

Optionally, the coded data includes a plurality of layouts, each layoutdefining the position of a plurality of first symbols encoding theidentity, and a plurality of second symbols defining at least part ofthe signature.

Optionally, the information includes at least one of: a product cost; apatient identifier; a user identifier; an owner identifier; manufacturedate; batch number; product manufacturer; product distributor; productsupplier; issue country; ingredients; storage conditions; disposalconditions; serial number; expiry date; effects; side-effects;conditions for use; instructions for use; links to further information;contra-indications; and, dosage.

Optionally, the feedback includes at least one of: an indication of theeffects of the pharmaceutical product; marketing feedback; questionsrelating to the pharmaceutical product; and, answers to customersurveys.

Optionally, the tracking information is indicative of at least one of:the current owner of the pharmaceutical product; one or moretransactions performed using the pharmaceutical product; a location ofthe pharmaceutical product; and, a location of the sensing device.

Optionally, the coded data is substantially invisible to an unaidedhuman.

Optionally, the coded data is printed on the surface using at least oneof: an invisible ink; and, an infrared-absorptive ink.

Optionally, the coded data is provided substantially coincident withvisible human-readable information.

Optionally, the coded includes a number of coded data portions, andwherein at least some of the coded data portions encode at least one of:a location of the respective coded data portion; a position of therespective coded data portion on the surface; a size of the coded dataportions; a signature part; a size of a signature; an identity of asignature part; units of indicated locations; and, at least part of adata object, the entire data object being encoded at least once by aplurality of coded data portions.

Optionally, the data object includes at least one of: MultipurposeInternet Mail Extensions (MIME) data; text data; image data; audio data;video data; application data; contact data; information; business carddata; and, directory data.

Optionally, the coded data includes at least one of: redundant data;data allowing error correction; Reed-Solomon data; and, CyclicRedundancy Check (CRC) data.

Optionally, the digital signature includes at least one of: a randomnumber associated with the identity; a keyed hash of at least theidentity; a keyed hash of at least the identity produced using a privatekey, and verifiable using a corresponding public key; cipher-textproduced by encrypting at least the identity; cipher-text produced byencrypting at least the identity and a random number; and, cipher-textproduced using a private key, and verifiable using a correspondingpublic key.

Optionally, the coded data is arranged in accordance with at least onelayout having n-fold rotational symmetry, where n is at least two, thelayout including n identical sub-layouts rotated 1/n revolutions apartabout a centre of rotation, at least one sub-layout includingrotation-indicating data that distinguishes that sub-layout from eachother sub-layout.

Optionally, the coded data is arranged in accordance with at least onelayout having n-fold rotational symmetry, where n is at least two, thelayout encoding orientation-indicating data comprising a sequence of aninteger multiple m of n symbols, where m is one or more, each encodedsymbol being distributed at n locations about a centre of rotationalsymmetry of the layout such that decoding the symbols at each of the norientations of the layout produces n representations of theorientation-indicating data, each representation comprising a differentcyclic shift of the orientation-indicating data and being indicative ofthe degree of rotation of the layout.

Optionally, the method includes the use of a transaction terminal forperforming transactions relating to the pharmaceutical product, thetransaction terminal including: a radiation source for exposing at leastone coded data portion; a sensor for sensing the at least one exposedcoded data portion; and, a processor for: determining, using the atleast one sensed coded data portion, a sensed identity; and, performingthe transaction using the sensed identity.

Optionally, the method includes the use of a printer for printing thepackaging, the printer being for: determining visible information to beprovided on the packaging; determining an identity associated with thepharmaceutical product; generating coded data using the identity, thecoded data including a number of coded data portions, each coded dataportion being indicative of at least the identity of the pharmaceuticalproduct; and, printing the packaging by printing the coded data and thevisible information.

Optionally, the method is further used for authenticating thepharmaceutical product, each coded data portion being further indicativeof at least part of a signature, the signature being a digital signatureof at least part of the identity and being encoded within a plurality ofcoded data portions, wherein the method includes: in the sensing device:sensing at least one coded data portion; and, generating, using thesensed coded data portion, indicating data indicative of: the identity;and, the at least one signature part; in a processor: determining, fromthe indicating data: a determined identity; and, at least one determinedsignature part; authenticating the pharmaceutical product using thedetermined identity and the at least one determined signature part.

Optionally, the method is further used for authenticating thepharmaceutical product, each coded data portion being further indicativeof at least part of a signature, the signature being a digital signatureof at least part of the identity, wherein the method includes, in acomputer system: receiving indicating data from the sensing device, thesensing device being responsive to sensing of the coded data to generateindicating data at least partially indicative of: the identity of thepharmaceutical product; and, the signature part; determining, from theindicating data: a determined identity; and, at least one determinedsignature part; authenticating the pharmaceutical product using thedetermined identity and the at least one determined signature part.

Optionally, the method is further used for determining a possibleduplication of pharmaceutical product packaging, wherein the methodincludes, in a computer system: receiving indicating data from a sensingdevice, the sensing device being responsive to sensing of the coded datato generate indicating data indicative of the identity; determining,from the indicating data, a determined identity; accessing, using thedetermined identity, tracking data relating to the pharmaceuticalproduct, the tracking data being at least partially indicative of thelocation of the pharmaceutical product; and, determining, using thetracking data, if the pharmaceutical product is a possible duplicate.

Optionally, the method is further used for tracking the pharmaceuticalproduct, the method including, in a computer system: receivingindicating data from the sensing device, the sensing device beingresponsive to sensing of the coded data to generate indicating dataindicative of the identity of the product item; and, updating, using thereceived indicating data, tracking data at least partially indicative oftracking information.

Optionally, the method is further used for producing pharmaceuticalproduct packaging, wherein the method includes, in a computer system:determining a serial number associated with a pharmaceutical product;generating, using the serial number, an identity; generating, using theidentity, a signature; causing generation of coded data using theidentity, the coded data including a number of coded data portions, eachcoded data portion encoding the identity; and, at least part of thesignature, the signature being a digital signature of at least part ofthe identity; causing printing of, on the pharmaceutical productpackaging: at least some coded data, and at least one of: the identity;and, the serial number.

Optionally, the method is further used for dispensing the pharmaceuticalproduct, the method including, in a computer system: receivingindicating data from the sensing device, the sensing device beingresponsive to sensing of the coded data to generate indicating data atleast partially indicative of the identity; determining, using theindicating data and from a dispensing database, at least one criterionfor dispensing the pharmaceutical product; and, causing thepharmaceutical product to be dispensed if the at least one criterion issatisfied.

Optionally, the sensing device is for use with the pharmaceuticalproduct, the sensing device including: a housing adapted to be held by auser in use; a radiation source for exposing at least one coded dataportion; a sensor for sensing the at least one exposed coded dataportion; and, a processor for determining, using the at least one sensedcoded data portion, a sensed identity. In another broad form theinvention provides a method of allowing a user to interact with apharmaceutical product, the pharmaceutical product being associated withpackaging having disposed thereon or therein coded data, at least someof the coded data being indicative of at least an identity, the methodincluding, in a sensing device: sensing at least some of the coded data;determining, using the sensed coded data, indicating data at leastpartially indicative of the identity; and, transferring the indicatingdata to a computer system, the computer system being responsive to theindicating data for: determining, using the indicating data, at leastone action; and, performing the action associated with thepharmaceutical product, the action including at least one of: providinginformation to a user; updating tracking information relating to thepharmaceutical product; performing a transaction relating to thepharmaceutical product; authenticating the pharmaceutical product; and,receiving feedback from the user. In a fifth broad form the inventionprovides a method for authenticating a pharmaceutical product, thepharmaceutical product being associated with packaging having disposedthereon or therein coded data including a number of coded data portions,each coded data portion being indicative of an identity of thepharmaceutical product and at least part of a signature, the signaturebeing a digital signature of at least part of the identity and beingencoded within a plurality of coded data portions, wherein the methodincludes: in a sensing device: sensing at least one coded data portion;and, generating, using the sensed coded data portion, indicating dataindicative of: the identity; and, the at least one signature part; in aprocessor: determining, from the indicating data: a determined identity;and, at least one determined signature part; authenticating thepharmaceutical product using the determined identity and the at leastone determined signature part.

Optionally, the method includes, in the processor: obtaining, using theidentity, a key from a secure data store, the secure data store storingat least one secret key; generating, using the determined identity andthe key, a generated signature; and, comparing the at least onedetermined signature part and the generated signature to therebyauthenticate the pharmaceutical product.

Optionally, the secure data store forms an internal memory of theprocessor.

Optionally, the method includes, in the processor: in the sensingdevice: sensing a plurality of coded data portions; and, generating,using the sensed coded data portions, indicating data indicative of thesignature; in a processor: determining, from the indicating data, adetermined signature; determining, using the identity, a key;generating, using the determined signature and the key, a generatedidentity; and, comparing the determined identity and the generatedidentity to thereby authenticate the pharmaceutical product.

Optionally, the method includes, in the processor: obtaining the keyfrom a local data store using the identity; and, obtaining the key froma remote data store using the identity, if the key cannot be obtainedfrom the local data store.

Optionally, the method includes in the at least one of the sensingdevice and the processor: determining when sufficient in a sensingdevice: sensing at least one coded data portion; and, generating, usingthe sensed coded data portion, indicating data indicative of: theidentity; and, the at least one signature part; in a processor:determining, from the indicating data: a determined identity; and, atleast one determined signature part; authenticating the pharmaceuticalproduct using the determined identity and the at least one determinedsignature part.

Optionally, the identity is formed at least in part from at least oneof: a coded data portion identity; an identity of the pharmaceuticalproduct; an EPC; an identity of the packaging; and, an identity of aregion of the packaging.

Optionally, the coded data includes a plurality of layouts, each layoutdefining the position of a plurality of first symbols encoding theidentity, and a plurality of second symbols defining at least part ofthe signature.

Optionally, the method includes, in the processor, communicating with alocal database, the database storing data relating the pharmaceuticalproduct, including at least one of: authentication data, including atleast a key associated with a signature, the signature being a digitalsignature of at least part of the identity; tracking data, the trackingdata being at least partially indicative of tracking informationincluding at least one of: an owner of the pharmaceutical product; oneor more transactions performed using the pharmaceutical product; alocation of the pharmaceutical product; and, a location of the sensingdevice. product data, the product data being at least partiallyindicative of product information including at least one of: a productcost; a patient identifier; a user identifier; an owner identifier;manufacture date; batch number; product manufacturer; productdistributor; product supplier; issue country; ingredients; storageconditions; disposal conditions; serial number; expiry date; effects;side-effects; conditions for use; instructions for use; links to furtherinformation; contra-indications; and, dosage.

Optionally, the method includes displaying at least one of: results ofauthentication; tracking information; and, product information.

Optionally, packaging includes at least one of: a blister pack; abottle; a bottle lid; a label; a box; and, a leaflet.

Optionally, the coded data is substantially invisible to an unaidedhuman.

Optionally, the coded data is printed on the surface using at least oneof: an invisible ink; and, an infrared-absorptive ink.

Optionally, the coded data is provided substantially coincident withvisible human-readable information.

Optionally, the coded includes a number of coded data portions, andwherein at least some of the coded data portions encode at least one of:a location of the respective coded data portion; a position of therespective coded data portion on the surface; a size of the coded dataportions; a signature part; a size of a signature; an identity of asignature part; units of indicated locations; and, at least part of adata object, the entire data object being encoded at least once by aplurality of coded data portions.

Optionally, the data object includes at least one of: MultipurposeInternet Mail Extensions (MIME) data; text data; image data; audio data;video data; application data; contact data; information; business carddata; and, directory data.

Optionally, the coded data includes at least one of: redundant data;data allowing error correction; Reed-Solomon data; and, CyclicRedundancy Check (CRC) data.

Optionally, the digital signature includes at least one of: a randomnumber associated with the identity; a keyed hash of at least theidentity; a keyed hash of at least the identity produced using a privatekey, and verifiable using a corresponding public key; cipher-textproduced by encrypting at least the identity; cipher-text produced byencrypting at least the identity and a random number; and, cipher-textproduced using a private key, and verifiable using a correspondingpublic key.

Optionally, the coded data is arranged in accordance with at least onelayout having n-fold rotational symmetry, where n is at least two, thelayout including n identical sub-layouts rotated 1/n revolutions apartabout a centre of rotation, at least one sub-layout includingrotation-indicating data that distinguishes that sub-layout from eachother sub-layout.

Optionally, the coded data is arranged in accordance with at least onelayout having n-fold rotational symmetry, where n is at least two, thelayout encoding orientation-indicating data comprising a sequence of aninteger multiple m of n symbols, where m is one or more, each encodedsymbol being distributed at n locations about a centre of rotationalsymmetry of the layout such that decoding the symbols at each of the norientations of the layout produces n representations of theorientation-indicating data, each representation comprising a differentcyclic shift of the orientation-indicating data and being indicative ofthe degree of rotation of the layout.

Optionally, the method includes the use of a transaction terminal forperforming transactions relating to the pharmaceutical product, thetransaction terminal including: a radiation source for exposing at leastone coded data portion; a sensor for sensing the at least one exposedcoded data portion; and, a processor for: determining, using the atleast one sensed coded data portion, a sensed identity; and, performingthe transaction using the sensed identity.

Optionally, the method includes the use of a printer for printing thepackaging, the printer being for: determining visible information to beprovided on the packaging; determining an identity associated with thepharmaceutical product; generating coded data using the identity, thecoded data including a number of coded data portions, each coded dataportion being indicative of at least the identity of the pharmaceuticalproduct; and, printing the packaging by printing the coded data and thevisible information.

Optionally, the method is further used for allowing a user to interactwith a pharmaceutical product, the method including, in a computersystem: receiving indicating data from the sensing device, the sensingdevice being responsive to sensing of the coded data to generateindicating data at least partially indicative of the identity;determining, using the indicating data, at least one action; and,performing the action associated with the pharmaceutical product, theaction including at least one of: providing information to a user;updating tracking information relating to the pharmaceutical product;performing a transaction relating to the pharmaceutical product;authenticating the pharmaceutical product; and, receiving feedback fromthe user.

Optionally, the method is further used for authenticating thepharmaceutical product, wherein the method includes, in a computersystem: receiving indicating data from the sensing device, the sensingdevice being responsive to sensing of the coded data to generateindicating data at least partially indicative of: the identity of thepharmaceutical product; and, the signature part; determining, from theindicating data: a determined identity; and, at least one determinedsignature part; authenticating the pharmaceutical product using thedetermined identity and the at least one determined signature part.

Optionally, the method is further used for determining a possibleduplication of pharmaceutical product packaging, wherein the methodincludes, in a computer system: receiving indicating data from a sensingdevice, the sensing device being responsive to sensing of the coded datato generate indicating data indicative of the identity; determining,from the indicating data, a determined identity; accessing, using thedetermined identity, tracking data relating to the pharmaceuticalproduct, the tracking data being at least partially indicative of thelocation of the pharmaceutical product; and, determining, using thetracking data, if the pharmaceutical product is a possible duplicate.

Optionally, the method is further used for tracking the pharmaceuticalproduct, the method including, in a computer system: receivingindicating data from the sensing device, the sensing device beingresponsive to sensing of the coded data to generate indicating dataindicative of the identity of the product item; and, updating, using thereceived indicating data, tracking data at least partially indicative oftracking information.

Optionally, the method is further used for producing pharmaceuticalproduct packaging, wherein the method includes, in a computer system:determining a serial number associated with a pharmaceutical product;generating, using the serial number, an identity; generating, using theidentity, a signature; causing generation of coded data using theidentity, the coded data including a number of coded data portions, eachcoded data portion encoding the identity; and, at least part of thesignature, the signature being a digital signature of at least part ofthe identity; causing printing of, on the pharmaceutical productpackaging: at least some coded data, and at least one of: the identity;and, the serial number.

Optionally, the method is further used for dispensing the pharmaceuticalproduct, the method including, in a computer system: receivingindicating data from the sensing device, the sensing device beingresponsive to sensing of the coded data to generate indicating data atleast partially indicative of the identity; determining, using theindicating data and from a dispensing database, at least one criterionfor dispensing the pharmaceutical product; and, causing thepharmaceutical product to be dispensed if the at least one criterion issatisfied.

Optionally, the sensing device is for use with the pharmaceuticalproduct, the sensing device including: a housing adapted to be held by auser in use; a radiation source for exposing at least one coded dataportion; a sensor for sensing the at least one exposed coded dataportion; and, a processor for determining, using the at least one sensedcoded data portion, a sensed identity. In a fourth broad form theinvention provides a method for authenticating a pharmaceutical product,the pharmaceutical product being associated with packaging havingdisposed thereon or therein coded data including a number of coded dataportions, each coded data portion being indicative of an identity of thepharmaceutical product and at least part of a signature, the signaturebeing a digital signature of at least part of the identity, wherein themethod includes, in a computer system: receiving indicating data from asensing device, the sensing device being responsive to sensing of thecoded data to generate indicating data at least partially indicative of:the identity of the pharmaceutical product; and, the signature part;determining, from the indicating data: a determined identity; and, atleast one determined signature part; authenticating the pharmaceuticalproduct using the determined identity and the at least one determinedsignature part.

Optionally, the method includes, in the computer system: determining,using the determined identity, a key; generating, using the determinedidentity and the key, a generated signature; and, comparing the at leastone determined signature part and the generated signature to therebyauthenticate the pharmaceutical product.

Optionally, the entire signature is encoded within a plurality of codeddata portions, the sensing device being responsive to sensing aplurality of coded data portions to generate indicating data indicativeof the entire signature, and wherein the method includes, in thecomputer system: determining, using the indicating data, a determinedsignature; determining, using the determined identity, a key; generate,using the determined signature and the key, a generated identity; and,compare the determined identity and the generated identity to therebyauthenticate the pharmaceutical product.

Optionally, the method includes, in the computer system: determining,using the determined identity, tracking data at least partiallyindicative of the location of the pharmaceutical product; and,determining, using the tracking data, if the pharmaceutical product is apossible duplicate.

Optionally, the method includes, in the computer system, and in responseto a successful authentication: authorising a transaction relating tothe pharmaceutical product; and, updating tracking data relating to thepharmaceutical product, the tracking data being at least partiallyindicative of the location of the pharmaceutical product.

Optionally, the method includes, in the computer system, communicatingwith a database, the database storing data relating the pharmaceuticalproduct, including at least one of: authentication data, including atleast a key associated with a signature, the signature being a digitalsignature of at least part of the identity; tracking data, the trackingdata being at least partially indicative of tracking informationincluding at least one of: an owner of the pharmaceutical product; oneor more transactions performed using the pharmaceutical product; alocation of the pharmaceutical product; and, a location of the sensingdevice; and, product data, the product data being at least partiallyindicative of product information including at least one of: a productcost; a patient identifier; a user identifier; an owner identifier;manufacture date; batch number; product manufacturer; productdistributor; product supplier; issue country; ingredients; storageconditions; disposal conditions; serial number; expiry date; effects;side-effects; conditions for use; instructions for use; links to furtherinformation; contra-indications; and, dosage.

Optionally, the method includes, in the computer system, causing thedisplay of at least one of: results of authentication; trackinginformation; and, product information.

Optionally, the identity is formed at least in part from at least oneof: a coded data portion identity; an identity of the pharmaceuticalproduct; an EPC; an identity of the packaging; and, an identity of aregion of the packaging.

Optionally, the coded data includes a plurality of layouts, each layoutdefining the position of a plurality of first symbols encoding theidentity, and a plurality of second symbols defining at least part ofthe signature.

Optionally, packaging includes at least one of: a blister pack; abottle; a bottle lid; a label; a box; and, a leaflet.

Optionally, the coded data is substantially invisible to an unaidedhuman.

Optionally, the coded data is printed on the surface using at least oneof: an invisible ink; and, an infrared-absorptive ink.

Optionally, the coded data is provided substantially coincident withvisible human-readable information.

Optionally, the coded includes a number of coded data portions, andwherein at least some of the coded data portions encode at least one of:a location of the respective coded data portion; a position of therespective coded data portion on the surface; a size of the coded dataportions; a signature part; a size of a signature; an identity of asignature part; units of indicated locations; and, at least part of adata object, the entire data object being encoded at least once by aplurality of coded data portions.

Optionally, the data object includes at least one of: MultipurposeInternet Mail Extensions (MIME) data; text data; image data; audio data;video data; application data; contact data; information; business carddata; and, directory data.

Optionally, the coded data includes at least one of: redundant data;data allowing error correction; Reed-Solomon data; and, CyclicRedundancy Check (CRC) data.

Optionally, the digital signature includes at least one of: a randomnumber associated with the identity; a keyed hash of at least theidentity; a keyed hash of at least the identity produced using a privatekey, and verifiable using a corresponding public key; cipher-textproduced by encrypting at least the identity; cipher-text produced byencrypting at least the identity and a random number; and, cipher-textproduced using a private key, and verifiable using a correspondingpublic key.

Optionally, the coded data is arranged in accordance with at least onelayout having n-fold rotational symmetry, where n is at least two, thelayout including n identical sub-layouts rotated 1/n revolutions apartabout a centre of rotation, at least one sub-layout includingrotation-indicating data that distinguishes that sub-layout from eachother sub-layout.

Optionally, the coded data is arranged in accordance with at least onelayout having n-fold rotational symmetry, where n is at least two, thelayout encoding orientation-indicating data comprising a sequence of aninteger multiple m of n symbols, where m is one or more, each encodedsymbol being distributed at n locations about a centre of rotationalsymmetry of the layout such that decoding the symbols at each of the norientations of the layout produces n representations of theorientation-indicating data, each representation comprising a differentcyclic shift of the orientation-indicating data and being indicative ofthe degree of rotation of the layout.

Optionally, the method includes the use of a transaction terminal forperforming transactions relating to the pharmaceutical product, thetransaction terminal including: a radiation source for exposing at leastone coded data portion; a sensor for sensing the at least one exposedcoded data portion; and, a processor for: determining, using the atleast one sensed coded data portion, a sensed identity; and, performingthe transaction using the sensed identity.

Optionally, the method includes the use of a printer for printing thepackaging, the printer being for: determining visible information to beprovided on the packaging; determining an identity associated with thepharmaceutical product; generating coded data using the identity, thecoded data including a number of coded data portions, each coded dataportion being indicative of at least the identity of the pharmaceuticalproduct; and, printing the packaging by printing the coded data and thevisible information.

Optionally, the method is further used for allowing a user to interactwith a pharmaceutical product, the method including, in a computersystem: receiving indicating data from the sensing device, the sensingdevice being responsive to sensing of the coded data to generateindicating data at least partially indicative of the identity;determining, using the indicating data, at least one action; and,performing the action associated with the pharmaceutical product, theaction including at least one of: providing information to a user;updating tracking information relating to the pharmaceutical product;performing a transaction relating to the pharmaceutical product;authenticating the pharmaceutical product; and, receiving feedback fromthe user.

Optionally, the method is further used for authenticating thepharmaceutical product, wherein the method includes: in the sensingdevice: sensing at least one coded data portion; and, generating, usingthe sensed coded data portion, indicating data indicative of: theidentity; and, the at least one signature part; in a processor:determining, from the indicating data: a determined identity; and, atleast one determined signature part; authenticating the pharmaceuticalproduct using the determined identity and the at least one determinedsignature part.

Optionally, the method is further used for determining a possibleduplication of pharmaceutical product packaging, wherein the methodincludes, in a computer system: receiving indicating data from a sensingdevice, the sensing device being responsive to sensing of the coded datato generate indicating data indicative of the identity; determining,from the indicating data, a determined identity; accessing, using thedetermined identity, tracking data relating to the pharmaceuticalproduct, the tracking data being at least partially indicative of thelocation of the pharmaceutical product; and, determining, using thetracking data, if the pharmaceutical product is a possible duplicate.

Optionally, the method is further used for tracking the pharmaceuticalproduct, the method including, in a computer system: receivingindicating data from the sensing device, the sensing device beingresponsive to sensing of the coded data to generate indicating dataindicative of the identity of the product item; and, updating, using thereceived indicating data, tracking data at least partially indicative oftracking information.

Optionally, the method is further used for producing pharmaceuticalproduct packaging, wherein the method includes, in a computer system:determining a serial number associated with a pharmaceutical product;generating, using the serial number, an identity; generating, using theidentity, a signature; causing generation of coded data using theidentity, the coded data including a number of coded data portions, eachcoded data portion encoding the identity; and, at least part of thesignature, the signature being a digital signature of at least part ofthe identity; causing printing of, on the pharmaceutical productpackaging: at least some coded data, and at least one of: the identity;and, the serial number.

Optionally, the method is further used for dispensing the pharmaceuticalproduct, the method including, in a computer system: receivingindicating data from the sensing device, the sensing device beingresponsive to sensing of the coded data to generate indicating data atleast partially indicative of the identity; determining, using theindicating data and from a dispensing database, at least one criterionfor dispensing the pharmaceutical product; and, causing thepharmaceutical product to be dispensed if the at least one criterion issatisfied.

Optionally, the sensing device is for use with the pharmaceuticalproduct, the sensing device including: a housing adapted to be held by auser in use; a radiation source for exposing at least one coded dataportion; a sensor for sensing the at least one exposed coded dataportion; and, a processor for determining, using the at least one sensedcoded data portion, a sensed identity. In another broad form theinvention provides a method for authenticating a pharmaceutical product,the pharmaceutical product being associated with packaging havingdisposed thereon or therein coded data including a number of coded dataportions, each coded data portion being indicative of an identity of thepharmaceutical product and at least part of a signature, the signaturebeing a digital signature of at least part of the identity, wherein themethod includes, in a sensing device: sensing at least one coded dataportion; generating, using the sensed coded data portion, indicatingdata at least partially indicative of: the identity; and, at least onesignature part; and, transferring the indicating data to a computersystem, the computer system being responsive to the indicating data to:determine, from the indicating data: a determined identity; and, atleast one determined signature part; authenticate the pharmaceuticalproduct using the determined identity and the at least one determinedsignature part. In a sixth broad form the invention provides a method ofdetermining a possible duplication of pharmaceutical product packaging,the packaging having disposed thereon or therein coded data including anumber of coded data portions, each coded data portion being indicativeof at least an identity of the pharmaceutical product, and wherein themethod includes, in a computer system: receiving indicating data from asensing device, the sensing device being responsive to sensing of thecoded data to generate indicating data indicative of the identity;determining, from the indicating data, a determined identity; accessing,using the determined identity, tracking data relating to thepharmaceutical product, the tracking data being at least partiallyindicative of the location of the pharmaceutical product; and,determining, using the tracking data, if the pharmaceutical product is apossible duplicate.

Optionally, the tracking data is indicative of tracking information foreach of a number of existing pharmaceutical products, and wherein themethod includes, in the computer system, determining if thepharmaceutical product is a duplicate of one of the existingpharmaceutical products.

Optionally, the method includes, in the computer system: determining,using the indicating data, a current location of the pharmaceuticalproduct; comparing the current location to the tracking information;and, determining the pharmaceutical product to be a possible duplicateif the current location is inconsistent with the tracking information.

Optionally, the method includes, in the computer system, determining ifthe current location is inconsistent with the tracking information usingpredetermined rules.

Optionally, each coded data portion is indicative of at least part of asignature, the signature being a digital signature of at least part ofthe identity, wherein the indicating data is at least partiallyindicative of at least one signature part, and wherein the methodincludes, in a computer system: determining, from the indicating data,at least one determined signature part; and, authenticating thepharmaceutical product using the determined identity and the at leastone determined signature part.

Optionally, the method includes, in the computer system, and in responseto a successful authentication: authorising a transaction relating tothe pharmaceutical product; and, updating the tracking data relating tothe pharmaceutical product.

Optionally, the method includes, in the computer system, communicatingwith a database, the database storing data relating the pharmaceuticalproduct, including at least one of: authentication data, including atleast a key associated with a signature, the signature being a digitalsignature of at least part of the identity; tracking data, the trackingdata being at least partially indicative of tracking informationincluding at least one of: an owner of the pharmaceutical product; oneor more transactions performed using the pharmaceutical product; alocation of the pharmaceutical product; and, a location of the sensingdevice; and, product data, the product data being at least partiallyindicative of product information including at least one of: a productcost; a patient identifier; a user identifier; an owner identifier;manufacture date; batch number; product manufacturer; productdistributor; product supplier; issue country; ingredients; storageconditions; disposal conditions; serial number; expiry date; effects;side-effects; conditions for use; instructions for use; links to furtherinformation; contra-indications; and, dosage.

Optionally, the method includes, in the computer system, causing thedisplay of at least one of: results of authentication; trackinginformation; and, product information.

Optionally, the identity is formed at least in part from at least oneof: a coded data portion identity; an identity of the pharmaceuticalproduct; an EPC; an identity of the packaging; and, an identity of aregion of the packaging.

Optionally, packaging includes at least one of: a blister pack; abottle; a bottle lid; a label; a box; and, a leaflet.

Optionally, the coded data is substantially invisible to an unaidedhuman.

Optionally, the coded data is printed on the surface using at least oneof: an invisible ink; and, an infrared-absorptive ink.

Optionally, the coded data is provided substantially coincident withvisible human-readable information.

Optionally, the coded includes a number of coded data portions, andwherein at least some of the coded data portions encode at least one of:a location of the respective coded data portion; a position of therespective coded data portion on the surface; a size of the coded dataportions; a signature part; a size of a signature; an identity of asignature part; units of indicated locations; and, at least part of adata object, the entire data object being encoded at least once by aplurality of coded data portions.

Optionally, the data object includes at least one of: MultipurposeInternet Mail Extensions (MIME) data; text data; image data; audio data;video data; application data; contact data; information; business carddata; and, directory data.

Optionally, the coded data includes at least one of: redundant data;data allowing error correction; Reed-Solomon data; and, CyclicRedundancy Check (CRC) data.

Optionally, the digital signature includes at least one of: a randomnumber associated with the identity; a keyed hash of at least theidentity; a keyed hash of at least the identity produced using a privatekey, and verifiable using a corresponding public key; cipher-textproduced by encrypting at least the identity; cipher-text produced byencrypting at least the identity and a random number; and, cipher-textproduced using a private key, and verifiable using a correspondingpublic key.

Optionally, the coded data is arranged in accordance with at least onelayout having n-fold rotational symmetry, where n is at least two, thelayout including n identical sub-layouts rotated l/n revolutions apartabout a centre of rotation, at least one sub-layout includingrotation-indicating data that distinguishes that sub-layout from eachother sub-layout.

Optionally, the coded data is arranged in accordance with at least onelayout having n-fold rotational symmetry, where n is at least two, thelayout encoding orientation-indicating data comprising a sequence of aninteger multiple m of n symbols, where m is one or more, each encodedsymbol being distributed at n locations about a centre of rotationalsymmetry of the layout such that decoding the symbols at each of the norientations of the layout produces n representations of theorientation-indicating data, each representation comprising a differentcyclic shift of the orientation-indicating data and being indicative ofthe degree of rotation of the layout.

Optionally, the method includes the use of a transaction terminal forperforming transactions relating to the pharmaceutical product, thetransaction terminal including: a radiation source for exposing at leastone coded data portion; a sensor for sensing the at least one exposedcoded data portion; and, a processor for: determining, using the atleast one sensed coded data portion, a sensed identity; and, performingthe transaction using the sensed identity.

Optionally, the method includes the use of a printer for printing thepackaging, the printer being for: determining visible information to beprovided on the packaging; determining an identity associated with thepharmaceutical product; generating coded data using the identity, thecoded data including a number of coded data portions, each coded dataportion being indicative of at least the identity of the pharmaceuticalproduct; and, printing the packaging by printing the coded data and thevisible information.

Optionally, the method is further used for allowing a user to interactwith a pharmaceutical product, the method including, in a computersystem: receiving indicating data from the sensing device, the sensingdevice being responsive to sensing of the coded data to generateindicating data at least partially indicative of the identity;determining, using the indicating data, at least one action; and,performing the action associated with the pharmaceutical product, theaction including at least one of: providing information to a user;updating tracking information relating to the pharmaceutical product;performing a transaction relating to the pharmaceutical product;authenticating the pharmaceutical product; and, receiving feedback fromthe user.

Optionally, the method is further used for authenticating thepharmaceutical product, each coded data portion being further indicativeof at least part of a signature, the signature being a digital signatureof at least part of the identity and being encoded within a plurality ofcoded data portions, wherein the method includes: in the sensing device:sensing at least one coded data portion; and, generating, using thesensed coded data portion, indicating data indicative of: the identity;and, the at least one signature part; in a processor: determining, fromthe indicating data: a determined identity; and, at least one determinedsignature part; authenticating the pharmaceutical product using thedetermined identity and the at least one determined signature part.

Optionally, the method is further used for authenticating thepharmaceutical product, each coded data portion being further indicativeof at least part of a signature, the signature being a digital signatureof at least part of the identity, wherein the method includes, in acomputer system: receiving indicating data from the sensing device, thesensing device being responsive to sensing of the coded data to generateindicating data at least partially indicative of: the identity of thepharmaceutical product; and, the signature part; determining, from theindicating data: a determined identity; and, at least one determinedsignature part; authenticating the pharmaceutical product using thedetermined identity and the at least one determined signature part.

Optionally, the method is further used for tracking the pharmaceuticalproduct, the method including, in a computer system: receivingindicating data from the sensing device, the sensing device beingresponsive to sensing of the coded data to generate indicating dataindicative of the identity of the product item; and, updating, using thereceived indicating data, tracking data at least partially indicative oftracking information.

Optionally, the method is further used for producing pharmaceuticalproduct packaging, wherein the method includes, in a computer system:determining a serial number associated with a pharmaceutical product;generating, using the serial number, an identity; generating, using theidentity, a signature; causing generation of coded data using theidentity, the coded data including a number of coded data portions, eachcoded data portion encoding the identity; and, at least part of thesignature, the signature being a digital signature of at least part ofthe identity; causing printing of, on the pharmaceutical productpackaging: at least some coded data, and at least one of: the identity;and, the serial number.

Optionally, the method is further used for dispensing the pharmaceuticalproduct, the method including, in a computer system: receivingindicating data from the sensing device, the sensing device beingresponsive to sensing of the coded data to generate indicating data atleast partially indicative of the identity; determining, using theindicating data and from a dispensing database, at least one criterionfor dispensing the pharmaceutical product; and, causing thepharmaceutical product to be dispensed if the at least one criterion issatisfied.

Optionally, the sensing device is for use with the pharmaceuticalproduct, the sensing device including: a housing adapted to be held by auser in use; a radiation source for exposing at least one coded dataportion; a sensor for sensing the at least one exposed coded dataportion; and, a processor for determining, using the at least one sensedcoded data portion, a sensed identity. In another broad form theinvention provides a method of determining a possible duplication ofpharmaceutical product packaging, the packaging having disposed thereonor therein coded data including a number of coded data portions, eachcoded data portion being indicative of at least an identity of thepharmaceutical product, and wherein the method includes, in a sensingdevice: sensing at least some of the coded data; determining, using thesensed coded data, indicating data at least partially indicative of theidentity; and, transferring the indicating data to a computer system,the computer system being responsive to the indicating data for:determining, from the indicating data, a determined identity; accessing,using the determined identity, tracking data relating to thepharmaceutical product, the tracking data being at least partiallyindicative of the location of the pharmaceutical product; and,determining, using the tracking data, if the pharmaceutical product is apossible duplicate. In a seventh broad form the invention provides amethod of tracking a pharmaceutical product, the pharmaceutical productbeing associated with packaging having disposed thereon or therein codeddata including a number of coded data portions, each coded data portionbeing indicative of an identity of the pharmaceutical product, themethod including, in a computer system: receiving indicating data from asensing device, the sensing device being responsive to sensing of thecoded data to generate indicating data indicative of the identity of theproduct item; and, updating, using the received indicating data,tracking data at least partially indicative of tracking information.

Optionally, at least one of the tracking information and the indicatingdata are indicative of at least one of: an identity of the sensingdevice; an identity of a patient; an identity of a current owner of thepharmaceutical product; one or more transactions performed using thepharmaceutical product; a location of the pharmaceutical product; and, alocation of the sensing device.

Optionally, each coded data portion is indicative of at least part of asignature, the signature being a digital signature of at least part ofthe identity, wherein the indicating data is at least partiallyindicative of at least one signature part, and wherein the methodincludes, in a computer system: determining, from the indicating data,at least one determined signature part; and, authenticating thepharmaceutical product using the determined identity and the at leastone determined signature part.

Optionally, the method includes, in the computer system, and in responseto a successful authentication: authorising a transaction relating tothe pharmaceutical product; and, updating the tracking data.

Optionally, the entire signature is encoded within a plurality of codeddata portions and wherein the system includes the sensing deviceconfigured to sense a number of coded data portions to thereby determinethe entire signature.

Optionally, the method includes, in the computer system, communicatingwith a database, the database storing data relating the pharmaceuticalproduct, including at least one of: authentication data, including atleast a key associated with a signature, the signature being a digitalsignature of at least part of the identity; and, product data, theproduct data being at least partially indicative of product informationincluding at least one of: a product cost; a patient identifier; a useridentifier; an owner identifier; manufacture date; batch number; productmanufacturer; product distributor; product supplier; issue country;ingredients; storage conditions; disposal conditions; serial number;expiry date; effects; side-effects; conditions for use; instructions foruse; links to further information; contraindications; and, dosage.

Optionally, the method includes, in the computer system, causing thedisplay of at least one of: results of authentication; trackinginformation; and, product information.

Optionally, the coded data includes a plurality of layouts, each layoutdefining the position of a plurality of first symbols encoding theidentity, and a plurality of second symbols defining at least part ofthe signature.

Optionally, the identity is formed at least in part from at least oneof: a coded data portion identity; an identity of the pharmaceuticalproduct; an EPC; an identity of the packaging; and, an identity of aregion of the packaging.

Optionally, packaging includes at least one of: a blister pack; abottle; a bottle lid; a label; a box; and, a leaflet.

Optionally, the coded data is substantially invisible to an unaidedhuman.

Optionally, the coded data is printed on the surface using at least oneof: an invisible ink; and, an infrared-absorptive ink.

Optionally, the coded data is provided substantially coincident withvisible human-readable information.

Optionally, the coded includes a number of coded data portions, andwherein at least some of the coded data portions encode at least one of:a location of the respective coded data portion; a position of therespective coded data portion on the surface; a size of the coded dataportions; a signature part; a size of a signature; an identity of asignature part; units of indicated locations; and, at least part of adata object, the entire data object being encoded at least once by aplurality of coded data portions.

Optionally, the data object includes at least one of: MultipurposeInternet Mail Extensions (MIME) data; text data; image data; audio data;video data; application data; contact data; information; business carddata; and, directory data.

Optionally, the coded data includes at least one of: redundant data;data allowing error correction; Reed-Solomon data; and, CyclicRedundancy Check (CRC) data.

Optionally, the digital signature includes at least one of: a randomnumber associated with the identity; a keyed hash of at least theidentity; a keyed hash of at least the identity produced using a privatekey, and verifiable using a corresponding public key; cipher-textproduced by encrypting at least the identity; cipher-text produced byencrypting at least the identity and a random number; and, cipher-textproduced using a private key, and verifiable using a correspondingpublic key.

Optionally, the coded data is arranged in accordance with at least onelayout having n-fold rotational symmetry, where n is at least two, thelayout including n identical sub-layouts rotated 1/n revolutions apartabout a centre of rotation, at least one sub-layout includingrotation-indicating data that distinguishes that sub-layout from eachother sub-layout.

Optionally, the coded data is arranged in accordance with at least onelayout having n-fold rotational symmetry, where n is at least two, thelayout encoding orientation-indicating data comprising a sequence of aninteger multiple m of n symbols, where m is one or more, each encodedsymbol being distributed at n locations about a centre of rotationalsymmetry of the layout such that decoding the symbols at each of the norientations of the layout produces n representations of theorientation-indicating data, each representation comprising a differentcyclic shift of the orientation-indicating data and being indicative ofthe degree of rotation of the layout.

Optionally, the method includes the use of a transaction terminal forperforming transactions relating to the pharmaceutical product, thetransaction terminal including: a radiation source for exposing at leastone coded data portion; a sensor for sensing the at least one exposedcoded data portion; and, a processor for: determining, using the atleast one sensed coded data portion, a sensed identity; and, performingthe transaction using the sensed identity.

Optionally, the method includes the use of a printer for printing thepackaging, the printer being for: determining visible information to beprovided on the packaging; determining an identity associated with thepharmaceutical product; generating coded data using the identity, thecoded data including a number of coded data portions, each coded dataportion being indicative of at least the identity of the pharmaceuticalproduct; and, printing the packaging by printing the coded data and thevisible information.

Optionally, the method is further used for allowing a user to interactwith a pharmaceutical product, the method including, in a computersystem: receiving indicating data from the sensing device, the sensingdevice being responsive to sensing of the coded data to generateindicating data at least partially indicative of the identity;determining, using the indicating data, at least one action; and,performing the action associated with the pharmaceutical product, theaction including at least one of: providing information to a user;updating tracking information relating to the pharmaceutical product;performing a transaction relating to the pharmaceutical product;authenticating the pharmaceutical product; and, receiving feedback fromthe user.

Optionally, the method is further used for authenticating thepharmaceutical product, each coded data portion being further indicativeof at least part of a signature, the signature being a digital signatureof at least part of the identity and being encoded within a plurality ofcoded data portions, wherein the method includes: in the sensing device:sensing at least one coded data portion; and, generating, using thesensed coded data portion, indicating data indicative of: the identity;and, the at least one signature part; in a processor: determining, fromthe indicating data: a determined identity; and, at least one determinedsignature part; authenticating the pharmaceutical product using thedetermined identity and the at least one determined signature part.

Optionally, the method is further used for authenticating thepharmaceutical product, each coded data portion being further indicativeof at least part of a signature, the signature being a digital signatureof at least part of the identity, wherein the method includes, in acomputer system: receiving indicating data from the sensing device, thesensing device being responsive to sensing of the coded data to generateindicating data at least partially indicative of: the identity of thepharmaceutical product; and, the signature part; determining, from theindicating data: a determined identity; and, at least one determinedsignature part; authenticating the pharmaceutical product using thedetermined identity and the at least one determined signature part.

Optionally, the method is further used for determining a possibleduplication of pharmaceutical product packaging, wherein the methodincludes, in a computer system: receiving indicating data from a sensingdevice, the sensing device being responsive to sensing of the coded datato generate indicating data indicative of the identity; determining,from the indicating data, a determined identity; accessing, using thedetermined identity, tracking data relating to the pharmaceuticalproduct, the tracking data being at least partially indicative of thelocation of the pharmaceutical product; and, determining, using thetracking data, if the pharmaceutical product is a possible duplicate.

Optionally, the method is further used for producing pharmaceuticalproduct packaging, wherein the method includes, in a computer system:determining a serial number associated with a pharmaceutical product;generating, using the serial number, an identity; generating, using theidentity, a signature; causing generation of coded data using theidentity, the coded data including a number of coded data portions, eachcoded data portion encoding the identity; and, at least part of thesignature, the signature being a digital signature of at least part ofthe identity; causing printing of, on the pharmaceutical productpackaging: at least some coded data, and at least one of: the identity;and, the serial number.

Optionally, the method is further used for dispensing the pharmaceuticalproduct, the method including, in a computer system: receivingindicating data from the sensing device, the sensing device beingresponsive to sensing of the coded data to generate indicating data atleast partially indicative of the identity; determining, using theindicating data and from a dispensing database, at least one criterionfor dispensing the pharmaceutical product; and, causing thepharmaceutical product to be dispensed if the at least one criterion issatisfied.

Optionally, the sensing device is for use with the pharmaceuticalproduct, the sensing device including: a housing adapted to be held by auser in use; a radiation source for exposing at least one coded dataportion; a sensor for sensing the at least one exposed coded dataportion; and, a processor for determining, using the at least one sensedcoded data portion, a sensed identity. In another broad form theinvention provides a method of tracking a pharmaceutical product, thepharmaceutical product being associated with packaging having disposedthereon or therein coded data including a number of coded data portions,each coded data portion being indicative of an identity of thepharmaceutical product, the method including, in a sensing device:sensing at least some of the coded data; determining, using the sensedcoded data, indicating data at least partially indicative of theidentity; and, transferring the indicating data to a computer system,the computer system being responsive to the indicating data to update,using the received indicating data, the tracking data. In an eighthbroad form the invention provides a method of producing pharmaceuticalproduct packaging, wherein the method includes, in a computer system:determining a serial number associated with a pharmaceutical product;generating, using the serial number, an identity; generating, using theidentity, a signature; causing generation of coded data using theidentity, the coded data including a number of coded data portions, eachcoded data portion encoding the identity; and, at least part of thesignature, the signature being a digital signature of at least part ofthe identity; causing printing of, on the pharmaceutical productpackaging: at least some coded data, and at least one of: the identity;and, the serial number. 2. A method according to claim 1, wherein theidentity is formed at least in part from at least one of: a serialnumber of the pharmaceutical product; an identity of the pharmaceuticalproduct; an EPC; an identity of the packaging; and, an identity of aregion of the packaging.

Optionally, the method includes, encoding the entire signature within aplurality of coded data portions.

Optionally, the method includes: determining visible informationrelating to the pharmaceutical product; determining a description, thedescription describing a layout of the visible information; recording anassociation between the identity and the layout; and, causing printingof the packaging using the layout.

Optionally, the description is indicative of at least one actionassociated with the pharmaceutical product, the action including atleast one of: providing information to a user; updating trackinginformation relating to the pharmaceutical product; performing atransaction relating to the pharmaceutical product; authenticating thepharmaceutical product; and, receiving feedback from the user.

Optionally, the method includes, in the computer system, communicatingwith a database, the database storing data relating the pharmaceuticalproduct, including at least one of: authentication data, including atleast a key associated with a signature, the signature being a digitalsignature of at least part of the identity; tracking data, the trackingdata being at least partially indicative of tracking informationincluding at least one of: an owner of the pharmaceutical product; oneor more transactions performed using the pharmaceutical product; alocation of the pharmaceutical product; and, a location of the sensingdevice; and, product data, the product data being at least partiallyindicative of product information including at least one of: a productcost; a patient identifier; a user identifier; an owner identifier;manufacture date; batch number; product manufacturer; productdistributor; product supplier; issue country; ingredients; storageconditions; disposal conditions; serial number; expiry date; effects;side-effects; conditions for use; instructions for use; links to furtherinformation; contra-indications; and, dosage.

Optionally, the method includes, in the computer system: updating atleast some of the data relating to the pharmaceutical product; and,generating the coded data using at least some of the data relating tothe pharmaceutical product.

Optionally, the method includes, in the computer system, receiving froma scanning system, in response to scanning of the packaging, informationindicative of at least one of: a source of the pharmaceutical product; apharmaceutical product type; the identity of the pharmaceutical product;and, the serial number of the pharmaceutical product; and,

Optionally, the coded data is indicative of a plurality of referencepoints such that sensing of at least one coded data portion, by asensing device, allows for determination of at least one of: theidentity; at least one signature part; a position of the sensing devicerelative to the packaging; and, movement of the sensing device relativeto the packaging.

Optionally, the identity is formed at least in part from at least oneof: a coded data portion identity; an identity of the pharmaceuticalproduct; an EPC; an identity of the packaging; and, an identity of aregion of the packaging.

Optionally, packaging includes at least one of: a blister pack; abottle; a bottle lid; a label; a box; and, a leaflet.

Optionally, the coded data is substantially invisible to an unaidedhuman.

Optionally, the coded data is printed on the surface using at least oneof: an invisible ink; and, an infrared-absorptive ink.

Optionally, the coded data is provided substantially coincident withvisible human-readable information.

Optionally, the coded includes a number of coded data portions, andwherein at least some of the coded data portions encode at least one of:a location of the respective coded data portion; a position of therespective coded data portion on the surface; a size of the coded dataportions; a signature part; a size of a signature; an identity of asignature part; units of indicated locations; and, at least part of adata object, the entire data object being encoded at least once by aplurality of coded data portions.

Optionally, the data object includes at least one of: MultipurposeInternet Mail Extensions (MIME) data; text data; image data; audio data;video data; application data; contact data; information; business carddata; and, directory data.

Optionally, the coded data includes at least one of: redundant data;data allowing error correction; Reed-Solomon data; and, CyclicRedundancy Check (CRC) data.

Optionally, the digital signature includes at least one of: a randomnumber associated with the identity; a keyed hash of at least theidentity; a keyed hash of at least the identity produced using a privatekey, and verifiable using a corresponding public key; cipher-textproduced by encrypting at least the identity; cipher-text produced byencrypting at least the identity and a random number; and, cipher-textproduced using a private key, and verifiable using a correspondingpublic key.

Optionally, the coded data is arranged in accordance with at least onelayout having n-fold rotational symmetry, where n is at least two, thelayout including n identical sub-layouts rotated 1/n revolutions apartabout a centre of rotation, at least one sub-layout includingrotation-indicating data that distinguishes that sub-layout from eachother sub-layout.

Optionally, the coded data is arranged in accordance with at least onelayout having n-fold rotational symmetry, where n is at least two, thelayout encoding orientation-indicating data comprising a sequence of aninteger multiple m of n symbols, where m is one or more, each encodedsymbol being distributed at n locations about a centre of rotationalsymmetry of the layout such that decoding the symbols at each of the norientations of the layout produces n representations of theorientation-indicating data, each representation comprising a differentcyclic shift of the orientation-indicating data and being indicative ofthe degree of rotation of the layout.

Optionally, the method includes the use of a transaction terminal forperforming transactions relating to the pharmaceutical product, thetransaction terminal including: a radiation source for exposing at leastone coded data portion; a sensor for sensing the at least one exposedcoded data portion; and, a processor for: determining, using the atleast one sensed coded data portion, a sensed identity; and, performingthe transaction using the sensed identity.

Optionally, the method includes the use of a printer for printing thepackaging, the printer being for: determining visible information to beprovided on the packaging; determining an identity associated with thepharmaceutical product; generating coded data using the identity, thecoded data including a number of coded data portions, each coded dataportion being indicative of at least the identity of the pharmaceuticalproduct; and, printing the packaging by printing the coded data and thevisible information.

Optionally, the method is further used for allowing a user to interactwith a pharmaceutical product, the method including, in a computersystem: receiving indicating data from the sensing device, the sensingdevice being responsive to sensing of the coded data to generateindicating data at least partially indicative of the identity;determining, using the indicating data, at least one action; and,performing the action associated with the pharmaceutical product, theaction including at least one of: providing information to a user;updating tracking information relating to the pharmaceutical product;performing a transaction relating to the pharmaceutical product;authenticating the pharmaceutical product; and, receiving feedback fromthe user.

Optionally, the method is further used for authenticating thepharmaceutical product, each coded data portion being further indicativeof at least part of a signature, the signature being a digital signatureof at least part of the identity and being encoded within a plurality ofcoded data portions, wherein the method includes: in the sensing device:sensing at least one coded data portion; and, generating, using thesensed coded data portion, indicating data indicative of: the identity;and, the at least one signature part; in a processor: determining, fromthe indicating data: a determined identity; and, at least one determinedsignature part; authenticating the pharmaceutical product using thedetermined identity and the at least one determined signature part.

Optionally, the method is further used for authenticating thepharmaceutical product, each coded data portion being further indicativeof at least part of a signature, the signature being a digital signatureof at least part of the identity, wherein the method includes, in acomputer system: receiving indicating data from the sensing device, thesensing device being responsive to sensing of the coded data to generateindicating data at least partially indicative of: the identity of thepharmaceutical product; and, the signature part; determining, from theindicating data: a determined identity; and, at least one determinedsignature part; authenticating the pharmaceutical product using thedetermined identity and the at least one determined signature part.

Optionally, the method is further used for determining a possibleduplication of pharmaceutical product packaging, wherein the methodincludes, in a computer system: receiving indicating data from a sensingdevice, the sensing device being responsive to sensing of the coded datato generate indicating data indicative of the identity; determining,from the indicating data, a determined identity; accessing, using thedetermined identity, tracking data relating to the pharmaceuticalproduct, the tracking data being at least partially indicative of thelocation of the pharmaceutical product; and, determining, using thetracking data, if the pharmaceutical product is a possible duplicate.

Optionally, the method is further used for tracking the pharmaceuticalproduct, the method including, in a computer system: receivingindicating data from the sensing device, the sensing device beingresponsive to sensing of the coded data to generate indicating dataindicative of the identity of the product item; and, updating, using thereceived indicating data, tracking data at least partially indicative oftracking information.

Optionally, the method is further used for dispensing the pharmaceuticalproduct, the method including, in a computer system: receivingindicating data from the sensing device, the sensing device beingresponsive to sensing of the coded data to generate indicating data atleast partially indicative of the identity; determining, using theindicating data and from a dispensing database, at least one criterionfor dispensing the pharmaceutical product; and, causing thepharmaceutical product to be dispensed if the at least one criterion issatisfied.

Optionally, the sensing device is for use with the pharmaceuticalproduct, the sensing device including: a housing adapted to be held by auser in use; a radiation source for exposing at least one coded dataportion; a sensor for sensing the at least one exposed coded dataportion; and, a processor for determining, using the at least one sensedcoded data portion, a sensed identity. In a ninth broad form theinvention provides a method of dispensing a pharmaceutical product, thepharmaceutical product being associated with packaging having disposedthereon or therein coded data, at least some of the coded data beingindicative of at least an identity of the pharmaceutical product, themethod including, in a computer system: receiving indicating data from asensing device, the sensing device being responsive to sensing of thecoded data to generate indicating data at least partially indicative ofthe identity; determining, using the indicating data and from adispensing database, at least one criterion for dispensing thepharmaceutical product; and, causing the pharmaceutical product to bedispensed if the at least one criterion is satisfied.

Optionally, the at least one criterion is indicative of an intendedrecipient of the pharmaceutical product, and wherein the methodincludes, in the computer system: determining identity data indicativeof an identity of an individual requesting the pharmaceutical product;comparing the identity data to the at least one criterion; and,determining the at least one criterion to be satisfied if the identityof the individual is the same as the identity of the intended recipient.

Optionally, the sensing device includes a data store for storing theidentity data, and wherein the method includes determining the identitydata from the data store.

Optionally, the at least one criterion is indicative of at least one of:an intended time for dispensing the pharmaceutical product; an intendeddate for dispensing the pharmaceutical product; and, an intendedlocation for dispensing the pharmaceutical product.

Optionally, the coded data includes a number of coded data portions,each coded data portion being indicative of at least part of asignature, the signature being a digital signature of at least part ofthe identity, wherein, in response to sensing of at least one coded dataportion, the sensing device generates indicating data at least partiallyindicative of at least one signature part, and wherein the methodincludes, in the computer system: determining, from the indicating data,a determined identity and at least one determined signature part;authenticating the pharmaceutical product using the determined identityand the at least one determined signature part; and, dispensing thepharmaceutical product in response to a successful authentication.

Optionally, the entire signature is encoded within a plurality of codeddata portions and wherein the method includes, in the sensing device,sensing a number of coded data portions to thereby determine the entiresignature.

Optionally, the method includes, in the computer system, communicatingwith a database, the database storing data relating the pharmaceuticalproduct, including at least one of: authentication data, including atleast a key associated with a signature, the signature being a digitalsignature of at least part of the identity; tracking data, the trackingdata being at least partially indicative of tracking informationincluding at least one of: an owner of the pharmaceutical product; oneor more transactions performed using the pharmaceutical product; alocation of the pharmaceutical product; and, a location of the sensingdevice; and, product data, the product data being at least partiallyindicative of product information including at least one of: a productcost; a patient identifier; a user identifier; an owner identifier;manufacture date; batch number; product manufacturer; productdistributor; product supplier; issue country; ingredients; storageconditions; disposal conditions; serial number; expiry date; effects;side-effects; conditions for use; instructions for use; links to furtherinformation; contra-indications; and, dosage.

Optionally, the method includes, in the computer system, causing displayof at least one of: results of authentication; tracking information;and, product information.

Optionally, the identity is formed at least in part from at least oneof: a coded data portion identity; an identity of the pharmaceuticalproduct; an EPC; an identity of the packaging; and, an identity of aregion of the packaging.

Optionally, packaging includes at least one of: a blister pack; abottle; a bottle lid; a label; a box; and, a leaflet.

Optionally, the coded data is substantially invisible to an unaidedhuman.

Optionally, the coded data is printed on the surface using at least oneof: an invisible ink; and, an infrared-absorptive ink.

Optionally, the coded data is provided substantially coincident withvisible human-readable information.

Optionally, the coded includes a number of coded data portions, andwherein at least some of the coded data portions encode at least one of:a location of the respective coded data portion; a position of therespective coded data portion on the surface; a size of the coded dataportions; a signature part; a size of a signature; an identity of asignature part; units of indicated locations; and, at least part of adata object, the entire data object being encoded at least once by aplurality of coded data portions.

Optionally, the data object includes at least one of: MultipurposeInternet Mail Extensions (MIME) data; text data; image data; audio data;video data; application data; contact data; information; business carddata; and, directory data.

Optionally, the coded data includes at least one of: redundant data;data allowing error correction; Reed-Solomon data; and, CyclicRedundancy Check (CRC) data.

Optionally, the digital signature includes at least one of: a randomnumber associated with the identity; a keyed hash of at least theidentity; a keyed hash of at least the identity produced using a privatekey, and verifiable using a corresponding public key; cipher-textproduced by encrypting at least the identity; cipher-text produced byencrypting at least the identity and a random number; and, cipher-textproduced using a private key, and verifiable using a correspondingpublic key.

Optionally, the coded data is arranged in accordance with at least onelayout having n-fold rotational symmetry, where n is at least two, thelayout including n identical sub-layouts rotated 1/n revolutions apartabout a centre of rotation, at least one sub-layout includingrotation-indicating data that distinguishes that sub-layout from eachother sub-layout.

Optionally, the coded data is arranged in accordance with at least onelayout having n-fold rotational symmetry, where n is at least two, thelayout encoding orientation-indicating data comprising a sequence of aninteger multiple m of n symbols, where m is one or more, each encodedsymbol being distributed at n locations about a centre of rotationalsymmetry of the layout such that decoding the symbols at each of the norientations of the layout produces n representations of theorientation-indicating data, each representation comprising a differentcyclic shift of the orientation-indicating data and being indicative ofthe degree of rotation of the layout.

Optionally, the method includes the use of a transaction terminal forperforming transactions relating to the pharmaceutical product, thetransaction terminal including: a radiation source for exposing at leastone coded data portion; a sensor for sensing the at least one exposedcoded data portion; and, a processor for: determining, using the atleast one sensed coded data portion, a sensed identity; and, performingthe transaction using the sensed identity.

Optionally, the method includes the use of a printer for printing thepackaging, the printer being for: determining visible information to beprovided on the packaging; determining an identity associated with thepharmaceutical product; generating coded data using the identity, thecoded data including a number of coded data portions, each coded dataportion being indicative of at least the identity of the pharmaceuticalproduct; and, printing the packaging by printing the coded data and thevisible information.

Optionally, the method is further used for allowing a user to interactwith a pharmaceutical product, the method including, in a computersystem: receiving indicating data from the sensing device, the sensingdevice being responsive to sensing of the coded data to generateindicating data at least partially indicative of the identity;determining, using the indicating data, at least one action; and,performing the action associated with the pharmaceutical product, theaction including at least one of: providing information to a user;updating tracking information relating to the pharmaceutical product;performing a transaction relating to the pharmaceutical product;authenticating the pharmaceutical product; and, receiving feedback fromthe user.

Optionally, the method is further used for authenticating thepharmaceutical product, each coded data portion being further indicativeof at least part of a signature, the signature being a digital signatureof at least part of the identity and being encoded within a plurality ofcoded data portions, wherein the method includes: in the sensing device:sensing at least one coded data portion; and, generating, using thesensed coded data portion, indicating data indicative of: the identity;and, the at least one signature part; in a processor: determining, fromthe indicating data: a determined identity; and, at least one determinedsignature part; authenticating the pharmaceutical product using thedetermined identity and the at least one determined signature part.

Optionally, the method is further used for authenticating thepharmaceutical product, each coded data portion being further indicativeof at least part of a signature, the signature being a digital signatureof at least part of the identity, wherein the method includes, in acomputer system: receiving indicating data from the sensing device, thesensing device being responsive to sensing of the coded data to generateindicating data at least partially indicative of: the identity of thepharmaceutical product; and, the signature part; determining, from theindicating data: a determined identity; and, at least one determinedsignature part; authenticating the pharmaceutical product using thedetermined identity and the at least one determined signature part.

Optionally, the method is further used for determining a possibleduplication of pharmaceutical product packaging, wherein the methodincludes, in a computer system: receiving indicating data from a sensingdevice, the sensing device being responsive to sensing of the coded datato generate indicating data indicative of the identity; determining,from the indicating data, a determined identity; accessing, using thedetermined identity, tracking data relating to the pharmaceuticalproduct, the tracking data being at least partially indicative of thelocation of the pharmaceutical product; and, determining, using thetracking data, if the pharmaceutical product is a possible duplicate.

Optionally, the method is further used for tracking the pharmaceuticalproduct, the method including, in a computer system: receivingindicating data from the sensing device, the sensing device beingresponsive to sensing of the coded data to generate indicating dataindicative of the identity of the product item; and, updating, using thereceived indicating data, tracking data at least partially indicative oftracking information.

Optionally, the method is further used for producing pharmaceuticalproduct packaging, wherein the method includes, in a computer system:determining a serial number associated with a pharmaceutical product;generating, using the serial number, an identity; generating, using theidentity, a signature; causing generation of coded data using theidentity, the coded data including a number of coded data portions, eachcoded data portion encoding the identity; and, at least part of thesignature, the signature being a digital signature of at least part ofthe identity; causing printing of, on the pharmaceutical productpackaging: at least some coded data, and at least one of: the identity;and, the serial number.

Optionally, the sensing device is for use with the pharmaceuticalproduct, the sensing device including: a housing adapted to be held by auser in use; a radiation source for exposing at least one coded dataportion; a sensor for sensing the at least one exposed coded dataportion; and, a processor for determining, using the at least one sensedcoded data portion, a sensed identity. In another broad form theinvention provides a method of dispensing a pharmaceutical product, thepharmaceutical product being associated with packaging having disposedthereon or therein coded data, at least some of the coded data beingindicative of at least an identity of the pharmaceutical product, themethod including, in a sensing device: sensing at least some of thecoded data; determining, using the sensed coded data, indicating data atleast partially indicative of the identity; and, transferring theindicating data to a computer system, the computer system beingresponsive to the indicating data for: determining, using the indicatingdata and from a dispensing database, at least one criterion fordispensing the pharmaceutical product; and, causing the pharmaceuticalproduct to be dispensed if the at least one criterion is are satisfied.

In an tenth broad form the invention provides a sensing device for usewith a pharmaceutical product, the pharmaceutical product beingassociated with packaging having disposed thereon or therein coded dataincluding a number of coded data portions, each coded data portion beingindicative of an identity of the pharmaceutical product, the sensingdevice including: a housing adapted to be held by a user in use; aradiation source for exposing at least one coded data portion; a sensorfor sensing the at least one exposed coded data portion; and, aprocessor for determining, using the at least one sensed coded dataportion, a sensed identity.

Optionally, the sensing device includes a communication system andwherein the processor: generates indicating data at least partiallyindicative of the sensed identity; and, transfers the indicating data toa computer system, the computer system being responsive to theindicating data to perform an action including at least one of:authentication of the pharmaceutical product; approval of thetransaction; determination of transaction details; and, updating oftracking information relating to the pharmaceutical product.

Optionally, the processor uses the sensed identity to perform at leastone of: authentication of the pharmaceutical product; approval of thetransaction; determination of transaction details; and, updating oftracking information relating to the pharmaceutical product.

Optionally, the identity is formed at least in part from at least oneof: a serial number of the pharmaceutical product; an identity of thepharmaceutical product; an EPC; an identity of the packaging; and, anidentity of a region of the packaging.

Optionally, coded data portion is indicative of at least part of asignature, the signature being a digital signature of at least part ofthe identity, and wherein the processor: determines, using the at leastone sensed coded data portion, at least one sensed signature part;causes authentication of the pharmaceutical product using the sensedidentity and the at least one sensed signature part.

Optionally, the pharmaceutical product is authenticated by at least oneof the processor and a computer system, which: determines, using thesensed identity, a key; determines, using the sensed identity and thekey, a determined signature; and, compares the at least one sensedsignature part and the determined signature to thereby authenticate thepharmaceutical product.

Optionally, the entire signature is encoded within a plurality of codeddata portions, the processor determines, from a plurality of sensedcoded data portions, a sensed signature, and wherein pharmaceuticalproduct is authenticated by at least one of the processor, and acomputer system, which: determines, using the sensed identity, a key;determines, using the sensed signature and the key, a determinedidentity; and, compares the determined identity and the sensed identityto thereby authenticate the pharmaceutical product.

Optionally, the coded data includes a plurality of layouts, each layoutdefining the position of a plurality of first symbols encoding theidentity, and a plurality of second symbols defining at least part ofthe signature.

Optionally, packaging includes at least one of: a blister pack; abottle; a bottle lid; a label; a box; and, a leaflet.

Optionally, the sensing device includes a communication system forcommunicating with a database, the database storing data relating thepharmaceutical product, including at least one of: authentication data,including at least a key associated with a signature, the signaturebeing a digital signature of at least part of the identity; trackingdata, the tracking data being at least partially indicative of trackinginformation including at least one of: an owner of the pharmaceuticalproduct; one or more transactions performed using the pharmaceuticalproduct; a location of the pharmaceutical product; and, a location ofthe sensing device. product data, the product data being at leastpartially indicative of product information including at least one of: aproduct cost; a patient identifier; a user identifier; an owneridentifier; manufacture date; batch number; product manufacturer;product distributor; product supplier; issue country; ingredients;storage conditions; disposal conditions; serial number; expiry date;effects; side-effects; conditions for use; instructions for use; linksto further information; contra-indications; and, dosage.

Optionally, the sensing device includes a display for displaying atleast one of: results of authentication; tracking information; and,product information.

Optionally, the coded data is substantially invisible to an unaidedhuman.

Optionally, the coded data is printed on the surface using at least oneof: an invisible ink; and, an infrared-absorptive ink.

Optionally, the coded data is provided substantially coincident withvisible human-readable information.

Optionally, the coded includes a number of coded data portions, andwherein at least some of the coded data portions encode at least one of:a location of the respective coded data portion; a position of therespective coded data portion on the surface; a size of the coded dataportions; a signature part; a size of a signature; an identity of asignature part; units of indicated locations; and, at least part of adata object, the entire data object being encoded at least once by aplurality of coded data portions.

Optionally, the data object includes at least one of: MultipurposeInternet Mail Extensions (MIME) data; text data; image data; audio data;video data; application data; contact data; information; business carddata; and, directory data.

Optionally, the coded data includes at least one of: redundant data;data allowing error correction; Reed-Solomon data; and, CyclicRedundancy Check (CRC) data.

Optionally, the digital signature includes at least one of: a randomnumber associated with the identity; a keyed hash of at least theidentity; a keyed hash of at least the identity produced using a privatekey, and verifiable using a corresponding public key; cipher-textproduced by encrypting at least the identity; cipher-text produced byencrypting at least the identity and a random number; and, cipher-textproduced using a private key, and verifiable using a correspondingpublic key.

Optionally, the coded data is arranged in accordance with at least onelayout having n-fold rotational symmetry, where n is at least two, thelayout including n identical sub-layouts rotated 1/n revolutions apartabout a centre of rotation, at least one sub-layout includingrotation-indicating data that distinguishes that sub-layout from eachother sub-layout.

Optionally, the coded data is arranged in accordance with at least onelayout having n-fold rotational symmetry, where n is at least two, thelayout encoding orientation-indicating data comprising a sequence of aninteger multiple m of n symbols, where m is one or more, each encodedsymbol being distributed at n locations about a centre of rotationalsymmetry of the layout such that decoding the symbols at each of the norientations of the layout produces n representations of theorientation-indicating data, each representation comprising a differentcyclic shift of the orientation-indicating data and being indicative ofthe degree of rotation of the layout.

Optionally, is coupled to a transaction terminal for performingtransactions relating to the pharmaceutical product, the transactionterminal including: a radiation source for exposing at least one codeddata portion; a sensor for sensing the at least one exposed coded dataportion; and, a processor for: determining, using the at least onesensed coded data portion, a sensed identity; and, performing thetransaction using the sensed identity.

Optionally, is coupled to a printer for printing packaging associatedwith the pharmaceutical product, the printer being for: determiningvisible information to be provided on the packaging; determining anidentity associated with the pharmaceutical product; generating codeddata using the identity, the coded data including a number of coded dataportions, each coded data portion being indicative of at least theidentity of the pharmaceutical product; and, printing the packaging byprinting the coded data and the visible information.

Optionally, the sensing device is further used to perform a method ofallowing a user to interact with the pharmaceutical product, the methodincluding, in a computer system: receiving indicating data from thesensing device, the sensing device being responsive to sensing of thecoded data to generate indicating data at least partially indicative ofthe identity; determining, using the indicating data, at least oneaction; and, performing the action associated with the pharmaceuticalproduct, the action including at least one of: providing information toa user; updating tracking information relating to the pharmaceuticalproduct; performing a transaction relating to the pharmaceuticalproduct; authenticating the pharmaceutical product; and, receivingfeedback from the user.

Optionally, the sensing device is further used to perform a method forauthenticating the pharmaceutical product, each coded data portion beingfurther indicative of at least part of a signature, the signature beinga digital signature of at least part of the identity and being encodedwithin a plurality of coded data portions, wherein the method includes:in the sensing device: sensing at least one coded data portion; and,generating, using the sensed coded data portion, indicating dataindicative of: the identity; and, the at least one signature part; in aprocessor: determining, from the indicating data: a determined identity;and, at least one determined signature part; authenticating thepharmaceutical product using the determined identity and the at leastone determined signature part.

Optionally, the sensing device is further used to perform a method forauthenticating the pharmaceutical product, each coded data portion beingfurther indicative at least part of a signature, the signature being adigital signature of at least part of the identity, wherein the methodincludes, in a computer system: receiving indicating data from thesensing device, the sensing device being responsive to sensing of thecoded data to generate indicating data at least partially indicative of:the identity of the pharmaceutical product; and, the signature part;determining, from the indicating data: a determined identity; and, atleast one determined signature part; authenticating the pharmaceuticalproduct using the determined identity and the at least one determinedsignature part.

Optionally, the sensing device is further used to perform a method ofdetermining a possible duplication of pharmaceutical product packaging,wherein the method includes, in a computer system: receiving indicatingdata from the sensing device, the sensing device being responsive tosensing of the coded data to generate indicating data indicative of theidentity; determining, from the indicating data, a determined identity;accessing, using the determined identity, tracking data relating to thepharmaceutical product, the tracking data being at least partiallyindicative of the location of the pharmaceutical product; and,determining, using the tracking data, if the pharmaceutical product is apossible duplicate.

Optionally, the sensing device is further used to perform a method oftracking the pharmaceutical product, the method including, in a computersystem: receiving indicating data from a sensing device, the sensingdevice being responsive to sensing of the coded data to generateindicating data indicative of the identity of the product item; and,updating, using the received indicating data, tracking data at leastpartially indicative of tracking information.

Optionally, the sensing device is further used to perform a method ofproducing pharmaceutical product packaging, wherein the method includes,in a computer system: determining a serial number associated with thepharmaceutical product; generating, using the serial number, anidentity; generating, using the identity, a signature; causinggeneration of coded data using the identity, the coded data including anumber of coded data portions, each coded data portion encoding theidentity; and, at least part of the signature, the signature being adigital signature of at least part of the identity; causing printing of,on the pharmaceutical product packaging: at least some coded data, andat least one of: the identity; and, the serial number.

Optionally, the sensing device is further used to perform a method ofdispensing the pharmaceutical product, the method including, in acomputer system: receiving indicating data from a sensing device, thesensing device being responsive to sensing of the coded data to generateindicating data at least partially indicative of the identity;determining, using the indicating data and from a dispensing database,at least one criterion for dispensing the pharmaceutical product; and,causing the pharmaceutical product to be dispensed if the at least onecriterion is satisfied.

In an eleventh broad form the present invention provides a method ofverifying an object, wherein the method includes, in a computer system:receiving a verification request, the request being at least partiallyindicative of: an identity of the object; at least one signaturefragment, the signature being a digital signature of at least part ofthe identity; determining, using the verification request, a determinedidentity; determining, using the determined identity, and from adatabase, at least one criterion relating to verification; and,comparing the received verification request to the at least onecriterion; and causing the object to be verified if the at least onecriterion is satisfied.

Optionally the at least one criterion relates to a limit on at least oneof: a number of received verification requests; a rate of receivedverification requests; and, timing of received verification requests.

Optionally the limit is defined in respect of at least one of: theidentity of the object; the signature; the signature fragment; averification request source; and, the object.

Optionally the limit is proportional to a size of the signaturefragment.

Optionally the method includes, in the computer system: determining,using the verification request: a request history indicative of a numberof previously received verification requests; and, a correspondinglimit; determining, using the verification request and the requesthistory, a request number; and, causing the object to be verified if therequest number does not exceed the corresponding limit.

Optionally the method includes, in the computer system, and in responseto a verification request, updating the request history.

Optionally the request history is indicative of the timing of thereceived verification request.

Optionally the request history is associated with: the identity of theobject; the signature; the signature fragment; a verification requestsource; and, the object.

Optionally the method includes, in the computer system, verifying theobject by authenticating the object using the identity of the object andthe at least one signature fragment.

Optionally the verification request is at least partially indicative ofan identity of the signature fragment.

Optionally the object is associated with a surface having disposedthereon or therein coded data including a number of coded data portions,each coded data portion being indicative of at least the identity and asignature fragment, and wherein, in response to sensing of at least onecoded data portion, a sensing device generates the verification request.

Optionally the verification request is at least partially indicative ofan identity of the signature fragment, the fragment identity being basedon at least one of: a number encoded within the at least one sensedcoded data portion; and, a position of the at least one sensed codeddata portion on the surface.

Optionally the method includes, in the computer system, only comparingthe received verification request to the at least one criterion after afailed verification.

Optionally the method includes, in a computer system: receiving averification request, the request being at least partially indicativeof: an identity of the object; a concatenation of: a signature fragment,the signature fragment being a digital signature of at least part of theidentity; and a random signature; determining, using the verificationrequest, a determined identity; determining, using the concatenation,the signature fragment; and, verifying the object using the determinedidentity and the signature fragment.

Optionally the method includes, in the computer system: determining,using the determined identity, a key; generating, using the determinedidentity and the key, a generated signature; comparing the generatedsignature to the concatenation to thereby identify and authenticate thesignature fragment.

In another broad form the present invention provides coded data fordisposal on or in a surface, the coded data including a number of codeddata portions, each coded data portion encoding: an identity; and, afragment of a signature, the signature being a digital signature of atleast part of the identity; and a random signature.

In another broad form the present invention provides coded data fordisposal on or in a surface, the coded data including a number of codeddata portions, each coded data portion being at least partiallyindicative of: an identity; at least fragment of a signature, thesignature being a digital signature of at least part of the identity;and, a position of the coded data on the surface.

Optionally each coded data portion is at least partially indicative of adata portion identity, the data portion identity being unique for eachcoded data portion, the data portion identity being indicative of theposition.

Optionally the coded data is disposed on or in the surface using alayout, the layout being indicative of, for each data portion identity,the position of the corresponding coded data portion.

Optionally the signature is generated using RSA encryption.

BRIEF DESCRIPTION OF THE DRAWINGS

An example of the present invention will now be described with referenceto the accompanying drawings, in which:

FIG. 1 is an example of a document including Hyperlabel encoding;

FIG. 2 is an example of a system for interacting with the Hyperlabeldocument of FIG. 1;

FIG. 3 is a further example of system for interacting with theHyperlabel document of FIG. 1;

FIG. 4. is a first example of a tag structure;

FIG. 5. is an example of a symbol unit cell for the tag structure ofFIG. 4;

FIG. 6. is an example of an array of the symbol unit cells of FIG. 5;

FIG. 7. is an example of symbol bit ordering in the unit cells of FIG.5;

FIG. 8. is an example of the tag structure of FIG. 4 with every bit set;

FIG. 9. is an example of tag types within a tag group for the tagstructure of FIG. 4;

FIG. 10. is an example of continuous tiling of the tag groups of FIG. 9;

FIG. 11. is an example of the orientation-indicating cyclic positioncodeword R for the tag group of FIG. 4;

FIG. 12. is an example of a local codeword A for the tag group of FIG.4;

FIG. 13. is an example of distributed codewords B, C, D and E, for thetag group of FIG. 4;

FIG. 14. is an example of a layout of complete tag group;

FIG. 15. is an example of a code word for the tag group of FIG. 4;

FIG. 16. is an example of an alternative tag group for the tag structureof FIG. 4;

FIG. 17. is a second example of a tag structure;

FIG. 18. is a third example of a tag structure;

FIG. 19 is an example of an item signature object model;

FIG. 20 is an example of Hyperlabel tags applied to a pharmaceuticalitem;

FIG. 21 is an example of a pharmaceutical distribution process;

FIG. 22. is an example of Scanning at Retailer interactions;

FIG. 23. is an example of Online Scanning interaction detail;

FIG. 24. is an example of Offline Scanning interaction details;

FIG. 25. is an example of netpage Pen Scanning interactions;

FIG. 26. is an example of netpage Pen Scanning interaction details;

FIG. 27. is an example of a Hyperlabel tag class diagram;

FIG. 28. is an example of a item ID class diagram

FIG. 29. is an example of a pharmaceutical ID class diagram

FIG. 30. is an example of an Object Description, ownership andaggregation class diagram;

FIG. 31. is an example of an Object Scanning History class diagram;

FIG. 32. is an example of scanner class diagram;

FIG. 33. is an example of an object ID hot list diagram;

FIG. 34. is an example of a valid ID range class diagram;

FIG. 35. is an example of Public Key List class diagram;

FIG. 36. is an example of a Trusted Authenticator class diagram;

FIG. 37. is an example of Tagging and Tracking Object Management;

FIG. 38. is an example of a Hyperlabel supermarket checkout;

FIG. 39. is an example of a cash register;

FIG. 40. is an example of a handheld validity scanner.

DETAILED DESCRIPTION OF THE DRAWINGS

The Netpage surface coding consists of a dense planar tiling of tags.Each tag encodes its own location in the plane. Each tag also encodes,in conjunction with adjacent tags, an identifier of the regioncontaining the tag. In the Netpage system, the region typicallycorresponds to the entire extent of the tagged surface, such as one sideof a sheet of paper.

Hyperlabel is the adaptation of the Netpage tags for use in unique itemidentification for a wide variety of applications, including securitydocument protection, object tracking, pharmaceutical security,supermarket automation, interactive product labels, web-browsing fromprinted surfaces, paper based email, and many others.

Using Memjet™ digital printing technology (which is the subject of anumber of pending U.S. patent applications including U.S. Ser. No.10/407,212), Hyperlabel tags are printed over substantially an entiresurface, such as a security document, bank note, or pharmaceuticalpackaging, using infrared (IR) ink. By printing the tags ininfrared-absorptive ink on any substrate which is infrared-reflective,the near-infrared wavelengths, and hence the tags are invisible to thehuman eye but are easily sensed by a solid-state image sensor with anappropriate filter. This allows machine readable information to beencoded over a large portion of the note or other surface, with novisible effect on the original note text or graphics thereon. A scanninglaser or image sensor can read the tags on any part of the surface toperforms associated actions, such as validating each individual note oritem.

An example of such a hyperlabel encoded document, is shown in FIG. 1. Inthis example, the hyperlabel document consists of graphic data 2 printedusing visible ink, and coded data 3 formed from hyperlabel tags 4. Thedocument includes an interactive element 6 defined by a zone 7 whichcorresponds to the spatial extent of a corresponding graphic 8. In use,the tags encode tag data including an ID. By sensing at least one tag,and determining and interpreting the encoded ID using an appropriatesystem, this allows the associated actions to be performed.

In one example, a tag map is used to define a layout of the tags on thehyperlabel document based on the ID encoded within the tag data. The IDcan also be used to reference a document description which describes theindividual elements of the hyperlabel document, and in particulardescribes the type and spatial extent (zone) of interactive elements,such as a button or text field. Thus, in this example, the element 6 hasa zone 7 which corresponds to the spatial extent of a correspondinggraphic 8. This allows a computer system to interpret interactions withthe hyperlabel document.

In position indicating techniques, the ID encoded within the tag data ofeach tag allows the exact position of the tag on the hyperlabel documentto be determined from the tag map. The position can then be used todetermine whether the sensed tag is positioned in a zone of aninteractive element from the document description.

In object indicating techniques, the ID encoded within the tag dataallows the presence of the tag in a region of the document to bedetermined from the tag map (the relative position of the tag within theregion may also be indicated). In this case, the document descriptioncan be used to determine whether the region corresponds to the zone ofan interactive element.

An example of this process will now be described with reference to FIGS.2 and 3 which show how a sensing device in the form of a netpage orhyperlabel pen 101, which interacts with the coded data on a printedhyperlabel document 1, such as a security document, label, productpackaging or the like.

The hyperlabel pen 101 senses a tag using an area image sensor anddetects tag data. The hyperlabel pen 101 uses the sensed coded data togenerate interaction data which is transmitted via a short-range radiolink 9 to a relay 44, which may form part of a computer 75 or a printer601. The relay sends the interaction data, via a network 19, to adocument server 10, which uses the ID to access the documentdescription, and interpret the interaction. In appropriatecircumstances, the document server sends a corresponding message to anapplication server 13, which can then perform a corresponding action.

In an alternative embodiment, the PC, Web terminal, netpage printer orrelay device may communicate directly with local or remote applicationsoftware, including a local or remote Web server. Relatedly, output isnot limited to being printed by the netpage printer. It can also bedisplayed on the PC or Web terminal, and further interaction can bescreen-based rather than paper-based, or a mixture of the two.

Typically hyperlabel pen users register with a registration server 11,which associates the user with an identifier stored in the respectivehyperlabel pen. By providing the sensing device identifier as part ofthe interaction data, this allows users to be identified, allowingtransactions or the like to be performed.

Hyperlabel documents are generated by having an ID server generate an IDwhich is transferred to the document server 10. The document server 10determines a document description and then records an associationbetween the document description and the ID, to allow subsequentretrieval of the document description using the ID.

The ID is then used to generate the tag data, as will be described inmore detail below, before the document is printed by the hyperlabelprinter 601, using the page description and the tag map.

Each tag is represented by a pattern which contains two kinds ofelements. The first kind of element is a target. Targets allow a tag tobe located in an image of a coded surface, and allow the perspectivedistortion of the tag to be inferred. The second kind of element is amacrodot. Each macrodot encodes the value of a bit by its presence orabsence.

The pattern is represented on the coded surface in such a way as toallow it to be acquired by an optical imaging system, and in particularby an optical system with a narrowband response in the near-infrared.The pattern is typically printed onto the surface using a narrowbandnear-infrared ink.

In the Hyperlabel system the region typically corresponds to the surfaceof an entire product item, or to a security document, and the region IDcorresponds to the unique item ID. For clarity in the followingdiscussion we refer to items and item IDs (or simply IDs), with theunderstanding that the item ID corresponds to the region ID.

The surface coding is designed so that an acquisition field of viewlarge enough to guarantee acquisition of an entire tag is large enoughto guarantee acquisition of the ID of the region containing the tag.Acquisition of the tag itself guarantees acquisition of the tag'stwo-dimensional position within the region, as well as othertag-specific data. The surface coding therefore allows a sensing deviceto acquire a region ID and a tag position during a purely localinteraction with a coded surface, e.g. during a “click” or tap on acoded surface with a pen.

A wide range of different tag structures can be used, and some exampleswill now be described.

First Example Tag Structure

FIG. 4 shows the structure of a complete tag. Each of the four blackcircles is a target. The tag, and the overall pattern, has four-foldrotational symmetry at the physical level.

Each square region represents a symbol, and each symbol represents fourbits of information.

FIG. 5 shows the structure of a symbol. It contains four macrodots, eachof which represents the value of one bit by its presence (one) orabsence (zero).

The macrodot spacing is specified by the parameter s throughout thisdocument. It has a nominal value of 143 μm, based on 9 dots printed at apitch of 1600 dots per inch. However, it is allowed to vary by ±10%according to the capabilities of the device used to produce the pattern.

FIG. 6 shows an array of nine adjacent symbols. The macrodot spacing isuniform both within and between symbols.

FIG. 7 shows the ordering of the bits within a symbol. Bit zero is theleast significant within a symbol; bit three is the most significant.Note that this ordering is relative to the orientation of the symbol.The orientation of a particular symbol within the tag is indicated bythe orientation of the label of the symbol in the tag diagrams. Ingeneral, the orientation of all symbols within a particular segment ofthe tag have the same orientation, consistent with the bottom of thesymbol being closest to the centre of the tag.

Only the macrodots are part of the representation of a symbol in thepattern. The square outline of a symbol is used in this document to moreclearly elucidate the structure of a tag. FIG. 8, by way ofillustration, shows the actual pattern of a tag with every bit set. Notethat, in practice, every bit of a tag can never be set.

A macrodot is nominally circular with a nominal diameter of ( 5/9)s.However, it is allowed to vary in size by ±10% according to thecapabilities of the device used to produce the pattern.

A target is nominally circular with a nominal diameter of ( 17/9)s.However, it is allowed to vary in size by ±10% according to thecapabilities of the device used to produce the pattern.

The tag pattern is allowed to vary in scale by up to ±10% according tothe capabilities of the device used to produce the pattern. Anydeviation from the nominal scale is recorded in the tag data to allowaccurate generation of position samples.

Each symbol shown in the tag structure in FIG. 4 has a unique label.Each label consists an alphabetic prefix and a numeric suffix.

Tag Group

Tags are arranged into tag groups. Each tag group contains four tagsarranged in a square. Each tag therefore has one of four possible tagtypes according to its location within the tag group square. The tagtypes are labelled 00, 10, 01 and 11, as shown in FIG. 9.

Each tag in the tag group is rotated as shown in the figure, i.e. tagtype 00 is rotated 0 degrees, tag type 10 is rotated 90 degrees, tagtype 11 is rotated 180 degrees, and tag type 01 is rotated 270 degrees.

FIG. 10 shows how tag groups are repeated in a continuous tiling oftags. The tiling guarantees the any set of four adjacent tags containsone tag of each type.

Orientation-Indicating Cyclic Position Code

The tag contains a 2⁴-ary (4, 1) cyclic position codeword which can bedecoded at any of the four possible orientations of the tag to determinethe actual orientation of the tag. Symbols which are part of the cyclicposition codeword have a prefix of “R” and are numbered 0 to 3 in orderof increasing significance.

The cyclic position codeword is (0, 7, 9, E₁₆). Note that it only usesfour distinct symbol values, even though a four-bit symbol has sixteenpossible values. During decoding, any unused symbol value should, ifdetected, be treated as an erasure. To maximise the probability oflow-weight bit error patterns causing erasures rather than symbolerrors, the symbol values are chosen to be as evenly spaced on thehypercube as possible.

The minimum distance of the cyclic position code is 4, hence itserror-correcting capacity is one symbol in the presence of up to oneerasure, and no symbols in the presence of two or more erasures.

The layout of the orientation-indicating cyclic position codeword isshown in FIG. 11.

Local Codeword

The tag locally contains one complete codeword which is used to encodeinformation unique to the tag. The codeword is of a punctured 2⁴-ary(13, 7) Reed-Solomon code. The tag therefore encodes up to 28 bits ofinformation unique to the tag.

The layout of the local codeword is shown in FIG. 12.

Distributed Codewords

The tag also contains fragments of four codewords which are distributedacross the four adjacent tags in a tag group and which are used toencode information common to a set of contiguous tags. Each codeword isof a 2⁴-ary (15, 11) Reed-Solomon code. Any four adjacent tags thereforetogether encode up to 176 bits of information common to a set ofcontiguous tags.

The layout of the four complete codewords, distributed across the fouradjacent tags in a tag group, is shown in FIG. 13. The order of the fourtags in the tag group in FIG. 13 is the order of the four tags in FIG.9.

FIG. 14 shows the layout of a complete tag group.

Reed-Solomon Encoding

Local Codeword

The local codeword is encoded using a punctured 2⁴-ary (13, 7)Reed-Solomon code. The code encodes 28 data bits (i.e. seven symbols)and 24 redundancy bits (i.e. six symbols) in each codeword. Itserror-detecting capacity is six symbols. Its error-correcting capacityis three symbols.

As shown in FIG. 15, codeword coordinates are indexed in coefficientorder, and the data bit ordering follows the codeword bit ordering.

The code is a 2⁴-ary (15, 7) Reed-Solomon code with two redundancycoordinates removed. The removed coordinates are the most significantredundancy coordinates.

The code has the following primitive polynominal:p(x)=x ⁴ +x+1  (EQ 1)

The code has the following generator polynominal:g(x)=(x+α)(x+α ²) . . . (x+α ⁸)  (EQ 2)Distributed Codewords

The distributed codewords are encoded using a 2⁴-ary (15, 11)Reed-Solomon code. The code encodes 44 data bits (i.e. eleven symbols)and 16 redundancy bits (i.e. four symbols) in each codeword. Itserror-detecting capacity is four symbols. Its error-correcting capacityis two symbols.

Codeword coordinates are indexed in coefficient order, and the data bitordering follows the codeword bit ordering.

The code has the same primitive polynominal as the local codeword code.

The code has the following generator polynominal:g(x)=(x+α)(x+α ²) . . . (x+α ⁴)  (EQ 3)Tag Coordinate Space

The tag coordinate space has two orthogonal axes labelled x and yrespectively. When the positive x axis points to the right then thepositive y axis points down.

The surface coding does not specify the location of the tag coordinatespace origin on a particular tagged surface, nor the orientation of thetag coordinate space with respect to the surface. This information isapplication-specific. For example, if the tagged surface is a sheet ofpaper, then the application which prints the tags onto the paper mayrecord the actual offset and orientation, and these can be used tonormalise any digital ink subsequently captured in conjunction with thesurface.

The position encoded in a tag is defined in units of tags. Byconvention, the position is taken to be the position of the centre ofthe target closest to the origin.

Tag Information Content

Field Definitions

Table 1 defines the information fields embedded in the surface coding.Table 2 defines how these fields map to codewords. TABLE 1 Fielddefinitions width field (bits) description per tag x coordinate 9 or 13The unsigned x coordinate of the tag allows maximum coordinate values ofapproximately 0.9 m and 14 m respectively. y coordinate 9 or 13 Theunsigned y coordinate of the tag allows maximum coordinate values ofapproximately 0.9 m and 14 m respectively active area flag 1 b‘1’indicates whether the area (the diameter of the area ntered on the tag,is nominally 5 times the diagonal size of the tag) immediatelysurrounding the tag intersects an active area data fragment flag 1 Aflag indicating whether a data fragment is present (see next field).b‘1’ indicates the presence of a data fragment. If the data fragment ispresent then the width of the x and y coordinate fields is 9. If it isabsent then the width is 13. data fragment 0 or 8  A fragment of anembedded data stream. per tag group (i.e. per region) encoding format 8The format of the encoding. 0: the present encoding Other values arereserved. region flags 8 Flags controlling the interpretation of regiondata. 0: region ID is an EPC 1: region has signature 2: region hasembedded data 3: embedded data is signature Other bits are reserved andmust be zero. tag size ID 8 The ID of the tag size. 0: the present tagsize the nominal tag size is 1.7145 mm, based on 1600 dpi, 9 dots permacrodot, and 12 macrodots per tag Other values are reserved. region ID96  The ID of the region containing the tags. signature 36  Thesignature of the region. high-order coordinate 4 The width of thehigh-order part of the x and y width (w) coordinates of the tag.high-order x coordinate 0 to 15 high-order part of the x coordinate ofthe tag expands the maximum coordinate values to approximately 2.4 kmand 38 km respectively high-order y coordinate 0 to 15 high-order partof the y coordinate of the tag expands the maximum coordinate values toapproximately 2.4 km and 38 km respectively. CRC 16  A CRC of tag groupdata.

An active area is an area within which any captured input should beimmediately forwarded to the corresponding hyperlabel server forinterpretation. This also allows the hyperlabel server to signal to theuser that the input has had an immediate effect. Since the server hasaccess to precise region definitions, any active area indication in thesurface coding can be imprecise so long as it is inclusive.

The width of the high-order coordinate fields, if non-zero, reduces thewidth of the signature field by a corresponding number of bits. Fullcoordinates are computed by prepending each high-order coordinate fieldto its corresponding coordinate field. TABLE 2 Mapping of fields tocodewords codeword field codeword bits field width bits A 12:0  xcoordinate 13 all 12:9  data fragment 4 3:0 25:13 y coordinate 13 all25:22 data fragment 4 7:4 26 active area flag 1 all 27 data fragmentflag 1 all B 7:0 encoding format 8 all 15:8  region flags 8 all 23:16tag size ID 8 all 39:24 CRC 16 all 43:40 high-order coordinate 4 3:0width (w) C 35:0  signature 36 all (35 − w):(36 − 2w) high-order xcoordinate w all 35:(36 − w) high-order y coordinate w all 43:36 regionID 8 7:0 D 43:0  region ID 44 51:8  E 43:0  region ID 44 95:52Embedded Data

If the “region has embedded data” flag in the region flags is set thenthe surface coding contains embedded data. The data is encoded inmultiple contiguous tags' data fragments, and is replicated in thesurface coding as many times as it will fit.

The embedded data is encoded in such a way that a random and partialscan of the surface coding containing the embedded data can besufficient to retrieve the entire data. The scanning system reassemblesthe data from retrieved fragments, and reports to the user whensufficient fragments have been retrieved without error.

As shown in Table 3, a 200-bit data block encodes 160 bits of data. Theblock data is encoded in the data fragments of a contiguous group of 25tags arranged in a 5×5 square. A tag belongs to a block whose integercoordinate is the tag's coordinate divided by 5. Within each block thedata is arranged into tags with increasing x coordinate withinincreasing y coordinate.

A data fragment may be missing from a block where an active area map ispresent. However, the missing data fragment is likely to be recoverablefrom another copy of the block.

Data of arbitrary size is encoded into a superblock consisting of acontiguous set of blocks arranged in a rectangle. The size of thesuperblock is encoded in each block. A block belongs to a superblockwhose integer coordinate is the block's coordinate divided by thesuperblock size. Within each superblock the data is arranged into blockswith increasing x coordinate within increasing y coordinate.

The superblock is replicated in the surface coding as many times as itwill fit, including partially along the edges of the surface coding.

The data encoded in the superblock may include more precise typeinformation, more precise size information, and more extensive errordetection and/or correction data. TABLE 3 Embedded data block fieldwidth description data type 8 The type of the data in the superblock.Values include: 0: type is controlled by region flags 1: MIME Othervalues are TBA. superblock width 8 The width of the superblock, inblocks. superblock height 8 The height of the superblock, in blocks.data 160 The block data. CRC 16 A CRC of the block data. total 200

It will be appreciated that any form of embedded data may be used,including for example, text, image, audio, video data, such as productinformation, application data, contact data, business card data, anddirectory data.

Region Signatures

If the “region has signature” flag in the region flags is set then thesignature field contains a signature with a maximum width of 36 bits.The signature is typically a random number associated with the region IDin a secure database. The signature is ideally generated using a trulyrandom process, such as a quantum process, or by distilling randomnessfrom random events.

In an online environment the signature can be validated, in conjunctionwith the region ID, by querying a server with access to the securedatabase.

If the “region has embedded data” and “embedded data is signature” flagsin the region flags are set then the surface coding contains a 160-bitcryptographic signature of the region ID. The signature is encoded in aone-block superblock.

In an online environment any number of signature fragments can be used,in conjunction with the region ID and optionally the random signature,to validate the signature by querying a server with knowledge of thefull signature or the corresponding private key.

In an offline (or online) environment the entire signature can berecovered by reading multiple tags, and can then be validated using thecorresponding public signature key.

Signature verification is discussed in more detail below.

MIME Data

If the embedded data type is “MIME” then the superblock containsMultipurpose Internet Mail Extensions (MIME) data according to RFC 2045(Freed, N., and N. Borenstein, “Multipurpose Internet Mail Extensions(MIME)—Part One: Format of Internet Message Bodies”, RFC 2045, November1996), RFC 2046 (Freed, N., and N. Borenstein, “Multipurpose InternetMail Extensions (MIME)—Part Two: Media Types”, RFC 2046, November 1996)and related RFCs. The MIME data consists of a header followed by a body.The header is encoded as a variable-length text string preceded by an8-bit string length. The body is encoded as a variable-lengthtype-specific octet stream preceded by a 16-bit size in big-endianformat.

The basic top-level media types described in RFC 2046 include text,image, audio, video and application.

RFC 2425 (Howes, T., M. Smith and F. Dawson, “A MIME Content-Type forDirectory Information”, RFC 2045, September 1998) and RFC 2426 (Dawson,F., and T. Howes, “vCard MIME Directory Profile”, RFC 2046, September1998) describe a text subtype for directory information suitable, forexample, for encoding contact information which might appear on abusiness card.

Encoding and Printing Considerations

The Print Engine Controller (PEC) (which is the subject of a number ofpending U.S. patent applications, including: Ser. Nos. 09/575,108;10/727,162; 09/575,110; 09/607,985; U.S. Pat. Nos. 6,398,332; 6,394,573;6,622,923) supports the encoding of two fixed (per-page) 2⁴-ary (15,7)Reed-Solomon codewords and four variable (per-tag) 2⁴-ary (15,7)Reed-Solomon codewords, although other numbers of codewords can be usedfor different schemes.

Furthermore, PEC supports the rendering of tags via a rectangular unitcell whose layout is constant (per page) but whose variable codeworddata may vary from one unit cell to the next. PEC does not allow unitcells to overlap in the direction of page movement.

A unit cell compatible with PEC contains a single tag group consistingof four tags. The tag group contains a single A codeword unique to thetag group but replicated four times within the tag group, and fourunique B codewords. These can be encoded using five of PEC's sixsupported variable codewords. The tag group also contains eight fixed Cand D codewords. One of these can be encoded using the remaining one ofPEC's variable codewords, two more can be encoded using PEC's two fixedcodewords, and the remaining five can be encoded and pre-rendered intothe Tag Format Structure (TFS) supplied to PEC.

PEC imposes a limit of 32 unique bit addresses per TFS row. The contentsof the unit cell respect this limit. PEC also imposes a limit of 384 onthe width of the TFS. The contents of the unit cell respect this limit.

Note that for a reasonable page size, the number of variable coordinatebits in the A codeword is modest, making encoding via a lookup tabletractable. Encoding of the B codeword via a lookup table may also bepossible. Note that since a Reed-Solomon code is systematic, only theredundancy data needs to appear in the lookup table.

Imaging and Decoding Considerations

The minimum imaging field of view required to guarantee acquisition ofan entire tag has a diameter of 39.6 s, i.e.(2×(12+2)){square root}2sallowing for arbitrary alignment between the surface coding and thefield of view. Given a macrodot spacing of 143 μm, this gives a requiredfield of view of 5.7 mm.

Table 4 gives pitch ranges achievable for the present surface coding fordifferent sampling rates, assuming an image sensor size of 128 pixels.TABLE 4 Pitch ranges achievable for present surface coding for differentsampling rates, computed using Optimize Hyperlabel Optics; dot pitch =1600 dpi, macrodot pitch = 9 dots, viewing distance = 30 mm, nib-to-FOVseparation = 1 mm, image sensor size = 128 pixels sampling rate pitchrange 2 −40 to +49 2.5 −27 to +36 3 −10 to +18

For the surface coding above, the decoding sequence is as follows:

-   -   locate targets of complete tag    -   infer perspective transform from targets    -   sample cyclic position code    -   decode cyclic position code    -   determine orientation from cyclic position code    -   sample and decode local Reed-Solomon codeword    -   determine tag x-y location    -   infer 3D tag transform from oriented targets    -   determine nib x-y location from tag x-y location and 3D        transform    -   determine active area status of nib location with reference to        active area map    -   generate local feedback based on nib active area status    -   determine tag type    -   sample distributed Reed-Solomon codewords (modulo window        alignment, with reference to tag type)    -   decode distributed Reed-Solomon codewords    -   verify tag group data CRC    -   on decode error flag bad region ID sample    -   determine encoding type, and reject unknown encoding    -   determine region flags    -   determine region ID    -   encode region ID, nib x-y location, nib active area status in        digital ink    -   route digital ink based on region flags

Region ID decoding need not occur at the same rate as position decodingand decoding of a codeword can be avoided if the codeword is found to beidentical to an already-known good codeword.

If the high-order coordinate width is non-zero, then special care mustbe taken on boundaries between tags where the low-order x or ycoordinate wraps, otherwise codeword errors may be introduced. Ifwrapping is detected from the low-order x or y coordinate (i.e. itcontains all zero bits or all one bits), then the correspondinghigh-order coordinate can be adjusted before codeword decoding. In theabsence of genuine symbol errors in the high-order coordinate, this willprevent the inadvertent introduction of codeword errors.

Alternative Tag Arrangements

It will be appreciated that a range of different tag layouts and tagstructures can be utilised.

For example, the tag group shown in FIG. 9 can be replaced with the taggroup shown in FIG. 16, in which the tags are not rotated relative toeach other. FIG. 17 shows an arrangement that utilises a six-foldrotational symmetry at the physical level, with each diamond shaperepresenting a respective symbol. FIG. 18 shows a version of the tag inwhich the tag is expanded to increase its data capacity by addingadditional bands of symbols about its circumference.

The use of these alternative tag structures, including associatedencoding considerations, is described shown in more detail in thecopending patent application numbers [we will need to include a docketnumber here for HYG, HYT cases], the contents of which is incorporatedherein by cross reference.

Security Discussion

As described above, authentication relies on verifying thecorrespondence between data and a signature of that data. The greaterthe difficulty in forging a signature, the greater the trustworthinessof signature-based authentication.

The item ID is unique and therefore provides a basis for a signature. Ifonline authentication access is assumed, then the signature may simplybe a random number associated with the item ID in an authenticationdatabase accessible to the trusted online authenticator. The randomnumber may be generated by any suitable method, such as via adeterministic (pseudo-random) algorithm, or via a stochastic physicalprocess. A keyed hash or encrypted hash may be preferable to a randomnumber since it requires no additional space in the authenticationdatabase. However, a random signature of the same length as a keyedsignature is more secure than the keyed signature since it is notsusceptible to key attacks. Equivalently, a shorter random signatureconfers the same security as a longer keyed signature.

In the limit case no signature is actually required, since the merepresence of the item ID in the database indicates authenticity. However,the use of a signature limits a forger to forging items he has actuallysighted.

To prevent forgery of a signature for an unsighted ID, the signaturemust be large enough to make exhaustive search via repeated accesses tothe online authenticator intractable. If the signature is generatedusing a key rather than randomly, then its length must also be largeenough to prevent the forger from deducing the key from knownID-signature pairs. Signatures of a few hundred bits are consideredsecure, whether generated using private or secret keys.

While it may be practical to include a reasonably secure randomsignature in a tag (or local tag group), particularly if the length ofthe ID is reduced to provide more space for the signature, it may beimpractical to include a secure ID-derived signature in a tag. Tosupport a secure ID-derived signature, we can instead distributefragments of the signature across multiple tags. If each fragment can beverified in isolation against the ID, then the goal of supportingauthentication without increasing the sensing device field of view isachieved. The security of the signature can still derive from the fulllength of the signature rather than from the length of a fragment, sincea forger cannot predict which fragment a user will randomly choose toverify. A trusted authenticator can always perform fragment verificationsince they have access to the key and/or the full stored signature, sofragment verification is always possible when online access to a trustedauthenticator is available.

Fragment verification requires that we prevent brute force attacks onindividual fragments, otherwise a forger can determine the entiresignature by attacking each fragment in turn. A brute force attack canbe prevented by throttling the authenticator on a per-ID basis. However,if fragments are short, then extreme throttling is required. As analternative to throttling the authenticator, the authenticator caninstead enforce a limit on the number of verification requests it iswilling to respond to for a given fragment number. Even if the limit ismade quite small, it is unlikely that a normal user will exhaust it fora given fragment, since there will be many fragments available and theactual fragment chosen by the user can vary. Even a limit of one can bepractical. More generally, the limit should be proportional to the sizeof the fragment, i.e. the smaller the fragment the smaller the limit.Thus the experience of the user would be somewhat invariant of fragmentsize. Both throttling and enforcing fragment verification limits implyserialisation of requests to the authenticator. Enforcing fragmentverification limits further requires the authenticator to maintain aper-fragment count of satisfied verification requests.

A brute force attack can also be prevented by concatenating the fragmentwith a random signature encoded in the tag. While the random signaturecan be thought of as protecting the fragment, the fragment can also bethought of as simply increasing the length of the random signature andhence increasing its security.

Fragment verification may be made more secure by requiring theverification of a minimum number of fragments simultaneously.

Fragment verification requires fragment identification. Fragments may beexplicitly numbered, or may more economically be identified by thetwo-dimensional coordinate of their tag, modulo the repetition of thesignature across a continuous tiling of tags.

The limited length of the ID itself introduces a further vulnerability.Ideally it should be at least a few hundred bits.

In the Netpage surface coding scheme it is 96 bits or less. To overcomethis the ID may be padded. For this to be effective the padding must bevariable, i.e. it must vary from one ID to the next. Ideally the paddingis simply a random number, and must then be stored in the authenticationdatabase indexed by ID. If the padding is deterministically generatedfrom the ID then it is worthless.

Offline authentication of secret-key signatures requires the use of atrusted offline authentication device. The QA chip (which is the subjectof a number of pending U.S. patent applications, including Ser. Nos.09/112,763; 09/112,762; 09/112,737; 09/112,761; 09/113,223) provides thebasis for such a device, although of limited capacity. The QA chip canbe programmed to verify a signature using a secret key securely held inits internal memory. In this scenario, however, it is impractical tosupport per-ID padding, and it is impractical even to support more thana very few secret keys. Furthermore, a QA chip programmed in this manneris susceptible to a chosen-message attack. These constraints limit theapplicability of a QA-chip-based trusted offline authentication deviceto niche applications.

In general, despite the claimed security of any particular trustedoffline authentication device, creators of secure items are likely to bereluctant to entrust their secret signature keys to such devices, andthis is again likely to limit the applicability of such devices to nicheapplications.

By contrast, offline authentication of public-key signatures (i.e.generated using the corresponding private keys) is highly practical. Anoffline authentication device utilising public keys can trivially holdany number of public keys, and may be designed to retrieve additionalpublic keys on demand, via a transient online connection, when itencounters an ID for which it knows it has no corresponding publicsignature key. Untrusted offline authentication is likely to beattractive to most creators of secure items, since they are able toretain exclusive control of their private signature keys.

A disadvantage of offline authentication of a public-key signature isthat the entire signature must be acquired from the coding, violatingour desire to support authentication with a minimal field of view. Acorresponding advantage of offline authentication of a public-keysignature is that access to the ID padding is no longer required, sincedecryption of the signature using the public signature key generatesboth the ID and its padding, and the padding can then be ignored. Aforger can not take advantage of the fact that the padding is ignoredduring offline authentication, since the padding is not ignored duringonline authentication.

Acquisition of an entire distributed signature is not particularlyonerous. Any random or linear swipe of a hand-held sensing device acrossa coded surface allows it to quickly acquire all of the fragments of thesignature. The sensing device can easily be programmed to signal theuser when it has acquired a full set of fragments and has completedauthentication. A scanning laser can also easily acquire all of thefragments of the signature. Both kinds of devices may be programmed toonly perform authentication when the tags indicate the presence of asignature.

Note that a public-key signature may be authenticated online via any ofits fragments in the same way as any signature, whether generatedrandomly or using a secret key. The trusted online authenticator maygenerate the signature on demand using the private key and ID padding,or may store the signature explicitly in the authentication database.The latter approach obviates the need to store the ID padding.

Note also that signature-based authentication may be used in place offragment-based authentication even when online access to a trustedauthenticator is available.

Table 5 provides a summary of which signature schemes are workable inlight of the foregoing discussion. TABLE 5 Summary of workable signatureschemes encoding acquisition signature online offline in tags from tagsgeneration authentication authentication Local full random okImpractical to store per ID information secret key Signature tooUndesirable to short to store secret be secure keys private keySignature too short to be secure Dis- fragment(s) random okimpractical^(b) tributed secret key ok impractical^(c) private key okimpractical^(b) full random ok impractical^(b) secret key okimpractical^(c) private key ok okSecurity Specification

FIG. 19 shows an example item signature object model.

An item has an ID (X) and other details (not shown). It optionally has asecret signature (Z). It also optionally has a public-key signature. Thepublic-key signature records the signature (S) explicitly, and/orrecords the padding (P) used in conjunction with the ID to generate thesignature. The public-key signature has an associated public-private keypair (K, L). The key pair is associated with a one or more ranges ofitem IDs.

Typically issuers of security documents and pharmaceuticals will utilisea range of IDs to identify a range of documents or the like. Followingthis, the issuer will then use these details to generate respective IDsfor each item, or document to be marked.

Authentication of the product can then be performed online or offline bysensing the tag data encoded within the tag, and performing theauthentication using a number of different mechanisms depending on thesituation.

Examples of the processes involved will now be described for public andprivate key encryption respectively.

Authentication Based on Public-Key Signature

Setup per ID range:

-   -   generate public-private signature key pair (K, L)    -   store key pair (K, L) indexed by ID range

Setup per ID:

-   -   generate ID padding (P)    -   retrieve private signature key (L) by ID (X)    -   generate signature (S) by encrypting ID (X) and padding (P)        using private key (L):        -   S←E_(L)(X, P)    -   store signature (S) in database indexed by ID (X) (and/or store        padding (P))    -   encode ID (X) in all tag groups    -   encode signature (S) across multiple tags in repeated fashion

Online fragment-based authentication (user):

-   -   acquire ID (X) from tags    -   acquire position (x, y)_(i) and signature fragment (T_(i)) from        tag    -   generate fragment number (i) from position (x, y)_(i):        -   i←F[(x, y)_(i)]    -   look up trusted authenticator by ID (X)    -   transmit ID (X), fragment (S_(i)) and fragment number (i) to        trusted authenticator

Online fragment-based authentication (trusted authenticator):

-   -   receive ID (X), fragment (S_(i)) and fragment number (i) from        user    -   retrieve signature (S) from database by ID (X) (or re-generate        signature)    -   compare received fragment (T_(i)) with corresponding fragment of        signature (S_(i))    -   report authentication result to user

Offline signature-based authentication (user):

-   -   acquire ID from tags (X)    -   acquire positions (x, y)_(i) and signature fragments (T_(i))        from tag    -   generate fragment numbers (i) from positions (x, y)_(i):        -   i←F[(x, y)_(i)]            -   S←S₀|S₁| . . . |S_(n-1)    -   generate signature (S) from (n) fragments:    -   retrieve public signature key (K) by ID (X)    -   decrypt signature (S) using public key (K) to obtain ID (X′) and        padding (P′):        -   X′|P′←D_(K)(S)    -   compare acquired ID (X) with decrypted ID (X′)    -   report authentication result to user        Authentication Based on Secret-Key Signature

Setup per ID:

-   -   generate secret (Z)    -   store secret (Z) in database indexed by ID (X)    -   encode ID (X) and secret (Z) in all tag groups

Online secret-based authentication (user):

-   -   acquire ID (X) from tags    -   acquire secret (Z′) from tags    -   look up trusted authenticator by ID    -   transmit ID (X) and secret (Z′) to trusted authenticator

Online secret-based authentication (trusted authenticator):

-   -   receive ID (X) and secret (Z′) from user    -   retrieve secret (Z) from database by ID (X)    -   compared received secret (Z′) with secret (Z)    -   report authentication result to user

As discussed earlier, secret-based authentication may be used inconjunction with fragment-based authentication.

Cryptographic Algorithms

When the public-key signature is authenticated offline, the user'sauthentication device typically does not have access to the padding usedwhen the signature was originally generated. The signature verificationstep must therefore decrypt the signature to allow the authenticationdevice to compare the ID in the signature with the ID acquired from thetags. This precludes the use of algorithms which don't perform thesignature verification step by decrypting the signature, such as thestandard Digital Signature Algorithm U.S. Department ofCommerce/National Institute of Standards and Technology, DigitalSignature Standard (DSS), FIPS 186-2, 27 Jan. 2000.

RSA encryption is described in:

-   -   Rivest, R. L., A. Shamir, and L. Adleman, “A Method for        Obtaining Digital Signatures and Public-Key Cryptosystems”,        Communications of the ACM, Vol. 21, No. 2, February 1978, pp.        120-126    -   Rivest, R. L., A. Shamir, and L. M. Adleman, “Cryptographic        communications system and method”, U.S. Pat. No. 4,405,829,        issued 20 Sep. 1983    -   RSA Laboratories, PKCS #1 v2.0: RSA Encryption Standard, Oct. 1,        1998

RSA provides a suitable public-key digital signature algorithm thatdecrypts the signature. RSA provides the basis for the ANSI X9.31digital signature standard American National Standards Institute, ANSIX9.31-1998, Digital Signatures Using Reversible Public Key Cryptographyfor the Financial Services Industry (rDSA), Sep. 8, 1998. If no paddingis used, then any public-key signature algorithm can be used.

In the hyperlabel surface coding scheme the ID is 96 bits long or less.It is padded to 160 bits prior to being signed.

The padding is ideally generated using a truly random process, such as aquantum process [14,15], or by distilling randomness from random eventsSchneier, B., Applied Cryptography, Second Edition, John Wiley & Sons1996.

In the hyperlabel surface coding scheme the random signature, or secret,is 36 bits long or less. It is also ideally generated using a trulyrandom process.

Security Tagging and Tracking

Currency, checks and other monetary documents can be tagged in order todetect currency counterfeiting and counter money laundering activities.The Hyperlabel tagged currency can be validated, and tracked through themonetary system. Hyperlabel tagged products such as pharmaceuticals canbe tagged allowing items to be validated and tracked through thedistribution and retail system.

A number of examples of the concepts of Hyperlabel security tagging andtracking referring specifically to bank notes and pharmaceuticals,however Hyperlabel tagging can equally be used to securely tag and trackother products, for example, traveller's checks, demand deposits,passports, chemicals etc.

Hyperlabel tagging, with the Netpage system, provides a mechanism forsecurely validating and tracking objects.

Hyperlabel tags on the surface of an object uniquely identify theobject. Each Hyperlabel tag contains information including the object'sunique ID, and the tag's location on the Hyperlabel tagged surface. AHyperlabel tag also contains a signature fragment which can be used toauthenticate the object. A scanning laser or image sensor can read thetags on any part of the object to identify the object, validate theobject, and allow tracking of the object.

Pharmaceutical tagging

An example of the protection of pharmaceuticals will now be describedwith reference to the specific protection of currency, such as banknotes, although it will be appreciated that the techniques may beapplied to any security document.

Hyperlabel tags can be printed over the entire surface of thepharmaceutical packaging, or only on a smaller area of the packaging. AHyperlabel pharmaceutical tag contains the item's product ID and aserial number, to uniquely identify an individual item. The product IDidentifies the item's National Drug Code (NDC) number. The NDC number isallocated and administered by the FDA (U.S. Food and DrugAdministration) for drugs and drug-related items and identifies theproduct and manufacturer. Alternatively the tag may contain anotherproduct ID code, such as the European International Article Numbering(EAN) code, or EPC etc.

In this example, each hexagonal Hyperlabel currency tag is around 2.5 mmacross, and incorporates a variety of data in the form of printed dotsof infrared ink. An example of a tag included on pharmaceuticalpackaging is shown in FIG. 20.

The tag may also include:

-   -   Alignment marks (these are the larger dots in the image above)    -   A code indicating that the tag is a pharmaceutical tag, as        opposed to another commercial Hyperlabel or Hyperlabel tag    -   A horizontal position code, specifying where the tag is along        the packaging    -   A vertical position code, specifying where the tag is across the        packaging    -   A cryptographic signature    -   Error detection and correction bits

Each tag is unique. That is, of all tags ever to be printed on anypackaging or other document, no two valid tags will ever be the same.The tags are designed to be easily read with low cost scanners that canbe built into a variety of validation devices.

The pharmaceutical ID can be read by a scanner and used to look updetails of the item's lot number and expiry date. Alternatively the lotnumber and expiry date may be contained in the pharmaceutical tag toallow off-line retrieval of this information by any scanner. Thepharmaceutical ID may also be used to access details such as dosage andadministration information, drug interactions, precautions,contraindications, product warnings, recall information, place ofmanufacture etc.

Hyperlabel currency tags can be read by any Hyperlabel scanner. Thesescanners can be incorporated into a variety of devices to facilitateauthentication and tracking, as will be described in more detail below.

Tracking

For the purpose of tracking and item validation the manufacturer, orother central authority, maintains a database which tracks the locationand status of all items.

Each time a pharmaceutical item is scanned its location is recorded.This location information can be collected in a central databaseallowing analysis and identification of abnormal product movements anddetection of counterfeit pharmaceuticals.

This allows the creation of highly accurate intelligence about criminalactivity and the real-time detection of the location of stolen orcounterfeit pharmaceuticals at many locations within the supply chain orin distribution. For example, in the case of sophisticated forgerieswhere Hyperlabel dot patterns are exactly duplicated, there will bemultiple copies of exactly forged pharmaceutical items (at a minimum,the original and the forgery). If multiple identical pharmaceuticalitems appears in different places at the same time, all but one of thepharmaceutical items must be a forgery. All can then be treated assuspect.

Thus, when a transaction is performed involving pharmaceutical items,the general process is as follows:

-   -   a transaction is agreed    -   currency is provided relating to the transaction    -   the pharmaceutical item is scanned using an appropriate sensing        device    -   the sensing device sense at least one tag and generates        predetermined data    -   the predetermined data is transferred to a central government        database

In this regard, the following predetermined data is automatically sentfrom the scanners to the central government currency database:

-   -   The unique identifier for the pharmaceutical item    -   The nature of pharmaceutical item    -   validity data    -   The serial number of the scanner    -   The time and date of the scan    -   The physical location of the scanner at the time the scan was        taken (for fixed scanners this is automatic, and for mobile        scanners the physical location is determined using a GPS        tracker)    -   The network location of the scanner    -   The identity of the person making reportable transactions

Thus, Hyperlabel technology makes it possible to build databasescontaining the history of all pharmaceutical items produced, and itallows them to be tracked through to distribution and use by theconsumer. The data collected can be used to build up flow maps based onthe validation data received, and its presence will provide a powerfultool for law enforcement agencies to combat pharmaceutical itemcounterfeiting.

There are also a large number of transactions involved—several hundredmillion per day. These are within the capability of conventionaldistributed transaction processing systems. However, the Hyperlabelcurrency system can be implemented at substantially lower cost by usingnew generation database systems that perform transactions insemiconductor memory, instead of disk drives. These transactions canthen be continually streamed to disk as a background ‘backup’ task. Suchsystems are likely to be sufficiently mature by the time that aHyperlabel based currency tracking system comes on-line that they willbe a viable choice.

As well as basic tracking and validation functions, the database systemmay have the following additional features:

-   -   Indication of abnormal pharmaceutical item movement patterns        within the system    -   The provision of pharmaceutical item demand forecasts    -   Data mining features that could be used to detect and prosecute        counterfeiters    -   Neural network based fraud detection    -   Geographic trends identification

A central database maintains up-to-date information on valid object IDs,an object ID hotlist (for all suspect object IDs), and a list of publickeys corresponding to object IDs. The central server also maintains anobject scanning history to track an object's movements. Each time anobject is scanned, its timestamped location is recorded. If known, thedetails of the object owner may also be recorded. This information maybe known particularly in the case of large transactions. This objectscanning history data can be used to detect illegal product movements,for example, the illegal import of a pharmaceutical. It can also be usedto detect abnormal or suspicious product movements which may beindicative of product counterfeiting.

If an object is known to be stolen it can be immediately added to anobject ID hotlist on the central server. This hotlist is automaticallydistributed to (or becomes accessible to) all on-line scanners, and willbe downloaded to all off-line scanners on their next update. In this waythe stolen status is automatically and rapidly disseminated to a hugenumber of outlets. Similarly, if an object is in any other way suspectit can be added to the hotlist so that its status is flagged to theperson scanning the object.

An on-line scanner has instant access to the central server to allowchecking of each object ID at the time of scanning. The object scanninghistory is also updated at the central server at the time the object isscanned.

An off-line scanner stores object status data internally to allowvalidation of a scanned object. The object status data includes valid IDrange lists, an object ID hotlist, a public key list, and an objectscanning history. Each time an object is scanned the details arerecorded in the object scanning history. The object status data isdownloaded from the central server, and the object scanning history isuploaded to the central server, each time the scanner connects.

A mobile scanner's location can be provided to the application by thescanner, if it is GPS-equipped. Alternatively the scanner's location canbe provided by the network through which it communicates.

For example, if the hand-held scanner uses the mobile phone network, thescanner's location can be provided by the mobile phone network provider.There are a number of location technologies available. One is AssistedGlobal Positioning System (A-GPS). This requires a GPS-equipped handset,which receives positioning signals from GPS satellites. The phonenetwork knows the approximate location of the handset (in this case thehandset is also the scanner) from the nearest cell site. Based on this,the network tells the handset which GPS satellites to use in itsposition calculations. Another technology, which does not require thedevice to be GPS-equipped, is Uplink Time Difference of Arrival(U-TDOA). This determines the location of a wireless handset, using aform of triangulation, by comparing the time it takes a wirelesshandset's signal to reach several Location Measurement Units (LMUs)installed at the network's cell sites. The handset location is thencalculated based on the differences in arrival times of the three (ormore) signals.

Authentication

Each object ID has a signature. Limited space within the Hyperlabel tagstructure makes it impractical to include a full cryptographic signaturein a tag so signature fragments are distributed across multiple tags. Asmaller random signature, or secret, can be included in a tag.

To avoid any vulnerability due to the limited length of the object ID,the object ID is padded, ideally with a random number. The padding isstored in an authentication database indexed by object ID. Theauthentication database may be managed by the manufacturer, or it may bemanaged by a third-party trusted authenticator.

Each Hyperlabel tag contains a signature fragment and each fragment (ora subset of fragments) can be verified, in isolation, against the objectID. The security of the signature still derives from the full length ofthe signature rather than from the length of the fragment, since aforger cannot predict which fragment a user will randomly choose toverify.

Fragment verification requires fragment identification. Fragments may beexplicitly numbered, or may by identified by the two-dimensionalcoordinate of their tag, modulo the repetition of the signature acrosscontinuous tiling of tags.

Note that a trusted authenticator can always perform fragmentverification, so fragment verification is always possible when on-lineaccess to a trusted authenticator is available.

Establishing Authentication Database.

Prior to allocating a new range of IDs, some setup tasks are required toestablish the authentication database.

For each range of IDs a public-private signature key pair is generatedand the key pair is stored in the authentication database, indexed by IDrange.

For each object ID in the range the following setup is required:

-   -   generate ID padding and store in authentication database,        indexed by object ID    -   retrieve private signature key by object ID    -   generate signature by encrypting object ID and padding, using        private key    -   store signature in authentication database indexed by object ID,        and/or store the padding, since the signature can be        re-generated using the ID, padding and private key    -   encode the signature across multiple tags in repeated fashion

This data is required for the Hyperlabel tags therefore theauthentication database must be established prior to, or at the time of,printing of the Hyperlabels.

Security issues are discussed in more detail above.

FIG. 21 summarises printing and distribution of pharmaceutical packagingwith Hyperlabel tags. Pharmaceuticals are also logged in the databasewhenever they are scanned in circulation, and also when they aredestroyed.

While the technology to print commercial Hyperlabel tags will becommercially available, only the authorized manufacturers will be ableto print the codes corresponding to their products. These codes can beprotected by 2048 bit RSA cryptography embedded within the integratedcircuits (chips) embedded in the Memjet™ printers used to printHyperlabel tags. This is a highly secure form of asymmetriccryptography, using private and public keys. The private keys relatingto any particular currency would be kept only by authorised nationalsecurity agencies.

Off-Line Public-Key-Based Authentication

An off-line authentication device utilises public-key signatures. Theauthentication device holds a number of public keys. The device may,optionally, retrieve additional public keys on demand, via a transienton-line connection when it encounters an object ID for which it has nocorresponding public key signature.

For off-line authentication, the entire signature is needed. Theauthentication device is swiped over the Hyperlabel tagged surface and anumber of tags are read. From this, the object ID is acquired, as wellas a number of signature fragments and their positions. The signature isthen generated from these signature fragments. The public key is lookedup, from the scanning device using the object ID. The signature is thendecrypted using the public key, to give an object ID and padding. If theobject ID obtained from the signature matches the object ID in theHyperlabel tag then the object is considered authentic.

The off-line authentication method can also be used on-line, with thetrusted authenticator playing the role of authenticator.

On-Line Public-Key-Based Authentication

An on-line authentication device uses a trusted authenticator to verifythe authenticity of an object. For on-line authentication a single tagcan be all that is required to perform authentication. Theauthentication device scans the object and acquires one or more tags.From this, the object ID is acquired, as well as at least one signaturefragment and its position. The fragment number is generated from thefragment position. The appropriate trusted authenticator is looked up bythe object ID. The object ID, signature fragment, and fragment numberare sent to the trusted authenticator.

The trusted authenticator receives the data and retrieves the signaturefrom the authentication database by object ID. This signature iscompared with the supplied fragment, and the authentication result isreported to the user.

On-Line Secret-Based Authentication

Alternatively or additionally, if a random signature or secret isincluded in each tag (or tag group), then this can be verified withreference to a copy of the secret accessible to a trusted authenticator.Database setup then includes allocating a secret for each object, andstoring it in the authentication database, indexed by object ID.

The authentication device scans the object and acquires one or moretags. From this, the object ID is acquired, as well as the secret. Theappropriate trusted authenticator is looked up by the object ID. Theobject ID and secret are sent to the trusted authenticator.

The trusted authenticator receives the data and retrieves the secretfrom the authentication database by object ID. This secret is comparedwith the supplied secret, and the authentication result is reported tothe user.

Secret-based authentication can be used in conjunction with on-linefragment-based authentication is discussed in more detail above.

Product Scanning Interactions

Product Scanning at a retailer is illustrated in FIG. 22. When a storeoperator scans a Hyperlabel tagged product the tag data is sent to theservice terminal (A). The service terminal sends the transaction data tothe store server (B). The store server sends this data, along with theretailer details, to the manufacturer server (C). The Hyperlabel serverknows which manufacturer server to send the message to from the objectID. On receipt of the input, the manufacturer server authenticates theobject, if the manufacturer is the trusted authenticator. Alternativelythe manufacturer server passes the data on to the authentication serverto verify the object ID and signature (D). The authentication serversends the authentication result back to the manufacturer server (E). Themanufacturer server checks the status of the object ID (against itsvalid ID lists and hotlist), and sends the response to the store server(F), which in turn send the result back the store service terminal (G).The store server could also communicate with the relevant authenticationserver directly.

The interaction detail for on-line product scanning at a retailer isshown in FIG. 23. The store operator scans the Hyperlabel taggedproduct. The scanner sends the scanner ID and tag data to the serviceterminal. The service terminal sends this data along with the terminalID and scanner location to the store server. The store server then sendsthe request on to the manufacturer server, which performs authentication(either itself or via a third party authentication server) anddetermines the object status. The response is then sent back to thestore server, and on to the operator service terminal.

The interaction detail for off-line product scanning at a retailer isshown in FIG. 24. The store operator scans the Hyperlabel taggedproduct. The scanner sends the scanner ID and tag data from multipletags to the service terminal. The service terminal sends this data,along with the terminal ID and scanner location, to the store server.The store server then performs off-line authentication, as described inSection 3.4.2, and determines the object status through its cachedhotlist, valid object ID lists, and public key list. The store serverrecords the scan details in its internal object scanning history. Theresponse is then sent back to the operator service terminal.

An alternative for off-line product scanner occurs where the scanner isa hand-held, stand-alone scanner. In this case the cached authenticationdata is stored within the scanner itself, and the scanner performs thevalidation internally. The object scanning history is also cached withinthe scanner. Periodically the scanner connects to the central database,uploads it's object scanning history, and downloads the latest publickey list, object ID hotlist and valid ID range list. This connection maybe automatic (and invisible to the user), or may be initiated by theuser, for example, when the scanner is placed in a dockingstation/charger.

Product scanning with a Netpage pen is illustrated in FIG. 25. When auser scans a Hyperlabel tagged item with their Netpage pen, the input issent to the Netpage System, from the user's Netpage pen, in the usualway (A). To scan a product rather than interact with it, the pen can beplaced in a special mode. This is typically a one-shot mode, and can beinitiated by tapping on a <scan> button printed on a Netpage.Alternatively, the pen can have a user-operable button, which, when helddown during a tap or swipe, tells the pen to treat the interaction as aproduct scan rather than a normal interaction. The tag data istransmitted from the pen to the user's Netpage base station. The Netpagebase station may be the user's mobile phone or PDA, or it may be someother Netpage device, such as a PC. The input is relayed to theHyperlabel server (B) and then on to manufacturer server (C) in theusual way. On receipt of the input, the manufacturer serverauthenticates the object if the manufacturer is the trustedauthenticator. Alternatively the manufacturer server passes the data onto the authentication server to verify the object ID and signature (D).The authentication server sends the authentication result back to themanufacturer server (E). The manufacturer server checks the status ofthe object ID (against its valid ID lists and hotlist), and sends theresponse to the Hyperlabel server (G). The Hyperlabel server, as part ofthe Netpage system, can know the identity and devices of the user. TheHyperlabel server will relay the manufacturer server's response to theuser's phone (G) or Web browsing device (H) as appropriate. If theuser's Netpage pen has LEDs then the Hyperlabel server can send acommand to the user's pen to light the appropriate LED(s) (I,J).

The interaction detail for scanning with a Netpage pen is shown in FIG.26. The Netpage pen clicks on the Hyperlabel tagged product. The Netpagepen sends the pen id, the product's tag data and the pen's location tothe Hyperlabel server. If the pen ID is not already associated with ascanner, the Hyperlabel server may create a new scanner record for thepen, or may use the pen ID as a scanner ID. The Hyperlabel server sendsthe scanner ID, tag data, and scanner location (if known) to themanufacturer server, which performs authentication (either itself or viaa third party authentication server) and determines the object status.The response is then sent back to the Hyperlabel server, and on to theuser's default Web browsing device.

Security Tagging and Tracking Object Model

The Security Tagging and Tracking object model revolves aroundHyperlabel tags, object IDs, and signatures. FIG. 37 illustrates themanagement and organisation of these objects.

As shown in FIG. 27, a Hyperlabel tag comprises a tag type, object ID,two-dimensional position and a signature fragment. The tag typeindicates whether this is a tag on a common object, or whether the tagis on a special type of object such as a currency note or apharmaceutical product. A signature fragment has an optional fragmentnumber which identifies the fragment's place within the full signature.

As described above, a product's unique item ID may be seen as a specialkind of unique object ID. The Electronic Product Code (EPC) is oneemerging standard for an item ID. An item ID typically consists of aproduct ID and a serial number. The product ID identifies a class ofproduct, while the serial number identifies a particular instance ofthat class, i.e. an individual product item. The product ID in turntypically consists of a manufacturer number and a product class number.The best-known product ID is the EAN.UCC Universal Product Code (UPC)and its variants. The Item ID class diagram is shown in FIG. 28.

Pharmaceuticals are identified by a pharmaceutical ID. Typically thepharmaceutical ID will be an EPC. A pharmaceutical ID consists of aproduct ID and a serial number. The product ID in turn typicallyconsists of a manufacturer number and a product class number. The bestknown product ID for pharmaceutical products is the National Drug Code(NDC), allocated and administered by the US Food and DrugAdministration. The Pharmaceutical ID class diagram is shown in FIG. 29.

Object Description, ownership and aggregation class diagram is shown inFIG. 30. This is described in more detail above.

The Object Scanning History class diagram is shown in FIG. 31. An objecthas an object scanning history, recording each time the scanner scans anobject. Each object scanned event comprises the scanner ID, the date andtime of the scan, and the object status at the time of the scan, and thelocation of the scanner at the time the object was scanned. The objectstatus may be valid, stolen, counterfeit suspected, etc. If known, theobject owner details may also be recorded.

A scanner has a unique scanner ID, a network address, owner informationand a status (e.g. on-line, off-line). A scanner is either a mobilescanner, whose location may vary, or a fixed scanner, whose location isknown and constant. A scanner has a current location, comprising thelocation details and a timestamp. A scanner may be a Netpage pen, inwhich case it will be associated with a Netpage Pen record. If a scannerin off-line, it will keep an object scanning history, and willoptionally store a public key list, a valid ID range list and an objectID hotlist. The scanner class diagram is shown in FIG. 32.

The manufacturer, or other central authority, maintains a number ofObject ID Hot Lists, each with a unique list ID, and the time the listwas last updated. Each hot list comprises a list of suspect object IDs,comprising the object ID, date, time, status (suspected counterfeit,stolen, etc.) and other information. The Object ID Hot List classdiagram is shown in FIG. 33.

The manufacturer, or other central authority, maintains a list of validID ranges. Each valid object ID range entry in the list comprises thestart object ID and end object ID (the valid ID range) and the time theentry was updated. The Valid ID Range List class diagram is shown inFIG. 34.

The manufacturer, or other central authority, maintains a public keylist. The public key list consists of a number of entries identifyingthe public key for a range of Object IDs. Each valid object ID rangeentry comprises the update time for the entry, the start object ID forthe range, the end object ID for the range, and the public keyapplicable to each object ID in the given range. The Public Key Listclass diagram is shown in FIG. 35.

Object authentication may be performed by the manufacturer, or by athird-party trusted authenticator. A trusted authenticator has anauthenticator ID, name and details. A trusted authenticator holds a listof public-private key pairs, each associated with one or more ID ranges.This is a list of object ID ranges (identified by the start and end ID)and the corresponding public/private signature key pair. A trustedauthenticator also holds a list of secret signatures, and a list ofpublic-key signatures. Each public-key signature identifies the actualsignature and/or the padding used to generate the signature. Each secretsignature and public-key signature is associated by object ID with aunique object. The Trusted Authenticator class diagram is shown in FIG.36.

Scanners

Hyperlabel scanners can be built into a variety of devices. Scanners maybe fixed or mobile. A fixed scanner has a permanent, known location. Amobile scanner has no fixed location. A scanner may be on-line, i.e.have immediate access to the central database, or it may be off-line.

Scanners may be specific to a particular product application, such as acurrency counter, or may be a generic Hyperlabel scanner. Hyperlabelscanners may be embedded in other multi-function devices, for example, amobile phone or PDA.

Hyperlabel currency tags can be read using many types of scanner,including:

-   -   Cash registers    -   POS checkouts    -   Mobile phone with inbuilt scanner    -   Hyperlabel pens    -   Vending machines

The Hyperlabel technology used in these devices can be implemented in awide range of applications. As a result, the development and deploymentcosts can be shared by the key stakeholders. It will be realised thatthese can therefore be implemented in a manner similar to that describedabove with respect to security documents.

Hyperlabel scanners built into a variety of products will include thefollowing features, currently under development at Silverbrook Research.

-   -   An infrared image sensor to read the Hyperlabel tags that        uniquely identify each phannaceutical item.    -   A 32 bit RISC processor with 20 megabits of secure code space        signed using 2048 bit RSA cryptography.    -   A highly secure processor with cryptographic and physical        security features for verifying the cryptographic signature on        Hyperlabel tags (under development at Silverbrook Research).    -   Infrared optics, including filters tuned to the Hyperlabel ink        infrared spectrum.    -   A real-time clock to verify the time of each transaction        reported.    -   Software to decode the Hyperlabel tags, record the details of        each scan, to validate each note scanned, and to facilitate        automatic and secure communications with an online database.    -   Communications systems to create secure network connections to        the central currency verification database.

Various of the Hyperlabel scanners described below are also planned toinclude the following units:

-   -   An inbuilt display and data entry mechanism to indicate to the        operator details of the pharmaceutical item being dispensed,        items that are suspected of being counterfeit, and the identity        of the person requesting reportable cash transactions.    -   A cache of the serial numbers of all known counterfeit        pharmaceutical item.    -   Other spectral filters tuned to the secure currency ink spectrum        (which differs from the commercially available Hyperlabel ink).    -   A GPS tracker to verify the location of the currency counter at        the time of use.        Mobile Phone with Inbuilt Scanner

A mobile phone with an inbuilt Hyperlabel infrared scanner to scan andvalidate each item can be used in a range of locations such as wheremedications are stored for distribution, or dispensed. It is intendedfor wide use and distribution among the hundreds of millions of mobilephone subscribers. It can be used by consumers to validate items, or toquickly find out additional information about a prescription item. Itcan also be used for inventory management and validity checkingapplications, such as for policing trademark infringement, andstocktaking.

Hyperlabel Supermarket Checkout Scanner

One of the other major applications of Hyperlabel is in consumerpackaged goods, where it has the potential of being the next generationbar code and allowing automatic tracking of individual items. Theapplication of Hyperlabel laser scanners makes it possible toautomatically scan products at supermarket checkouts. These checkoutswill be able to read pharmaceutical Hyperlabels to validate each item atthe point of sale. An example of a hyperlabel is shown in FIG. 38, andis described in more detail in copending application number [cross refany application describing Hyperlabel checkout], the contents of whichis incorporated herein by cross reference.

Cash Registers

Cash registers can have an add-on or built-in currency scanner for asmall additional cost per unit. The pharmaceutical item is scanned as itis processed for sale. An example of a cash register is shown in FIG.39.

Hyperlabel Pen

A Hyperlabel Pen can be used as a miniature low cost image sensor forconsumer and small business use. It uses an infrared image sensor, andto image a Hyperlabel tag whenever it is clicked against a surface.These pens are also intended for high volume consumer use, with intendeddistribution exceeding 100 million units. While its primary applicationis a wide range of ‘interactive paper’ and computer peripheral uses, italso allows consumers to validate pharmaceuticals and other goods byclicking on the Hyperlabel.

When read by a Hyperlabel Pen, the Hyperlabel allows the pen to trackits own nib movement relative to the label. The pen uses the positionand orientation of each tag in its 5 mm field of view to determine amuch more precise position than just the position encoded in a tag. Thepen transmits its interaction data to a Hyperlabel Server forinterpretation. The interaction data consists of movement data (or‘digital ink’), defined relative to the product label identified by itsEPC, thus enabling consumers to use a product label to interact directlywith the manufacturer's Web site. The Hyperlabel network will be managedby dedicated Hyperlabel servers, and any pharmaceutical scans fromHyperlabel Pens will be routed through these servers to thePharmaceutical server.

An example of a handheld validity scanner is shown in FIGS. 2 and 25,and is described in more detail in copending application number [crossref any application describing validity scanner], the contents of whichis incorporated herein by cross reference.

Handheld Validity Scanner

Handheld Hyperlabel validity scanners may also be used where currencycounters are not required or suitable. These devices are expected to besignificantly more common than currency counters, as they have multipleuses, and will be much cheaper.

The validity scanner has multiple uses, including pharmaceuticalsecurity, brand-name security, stocktaking, forensic investigations, andpolicing. As it is not a dedicated currency device. It does notcommunicate directly with the government currency server as otherwise,large numbers of non-currency related messages would need to be routedthrough that server. Instead, it communicates directly with commercialHyperlabel servers, and any currency related validation requests arepassed on to the government server. To reduce the transaction load onthe government server, note related information can be cached at theHyperlabel server, much as they are cached in the currency counters.

The link to the database would typically be relayed over a radio link toallow local mobility. The radio link can be WiFi, GPRS, 3G mobile,Bluetooth, or other IP link, as appropriate. Internet transactions aresecured using encrypted packets.

An example of a hand held scanner is shown in FIG. 40, with analternative example being shown in FIG. 22, and being described in moredetail in copending application number [cross ref any applicationdescribing validity scanner], the contents of which is incorporatedherein by cross reference.

Security Features

Hyperlabel currency security features include:

-   -   Notes can be tracked whenever they are scanned—at banks,        supermarket checkouts, vending machines, cash registers, and low        cost home scanners.    -   The unique range of currency tag numbers can be printed only by        the government printing agency.    -   Currency IR ink with unique spectral properties, can be made        available only to government printing agencies.    -   Note serial number printed in tag must match printed serial        number.    -   Tags are printed all over both sides of the note.    -   Tags vary across the note—a forger must match the thousands of        tags printed on any note.    -   Additional proprietary security features not disclosed in this        document.    -   The ability to determine both the validity and the value of        currency.

Advantages of Hyperlabel

Unlike 2D optical barcodes that are often difficult to read due to labeldamage and a direct ‘line-of-sight’ requirement needed for scanning,optically readable, but invisible, infrared Hyperlabel tags, are printedall over, or on a large section of a product label. Hyperlabel tagssupport line-of-sight omnidirectional reading. In practice, theHyperlabel reader is designed to scan the scanning field from at leasttwo substantially orthogonal directions. This helps the reader to avoidocclusions which may occur if a hand is holding an item. Hyperlabel tagsalso incorporate Reed-Solomon error correction methods to improvereliability.

A further advantage of Hyperlabels over barcodes is that they areunobtrusive to the customer as they do not use visible label space, andtag information is not restricted to only one section of a label.

Hyperlabel tags are therefore easy to locate, easy to read, and enableaccurate automatic scanning. Automatic checkouts minimize thepossibility of collusion between the operator and the customer or theshipping agent(s). That is, it significantly reduces shrinkage due tothe operator or shipping agent deliberately not scanning selected items.It also helps prevent substitution-based fraud.

Hyperlabels are less promiscuous than RFID tags since they requireline-of-sight for reading. This means that it will be difficult forcustomers to have their product scanned for information without theirknowledge. Hyperlabels provide customers with the means to protect theirprivacy in much the same way as they can now when carryingpharmaceutical goods.

Hyperlabels as Interactive Web Pages

A distinctive and unique feature of Hyperlabel technology is thatHyperlabels provide the opportunity to design packaging labels asinteractive ‘Web pages’—and thus make it possible for a whole new rangeof product-linked customer services to be introduced by thepharmaceutical industry.

In a few years from now when digital pen use becomes widespread, productgraphics can be added to labels to indicate interactive areas andprompting customers to write or click using a Hyperlabel Pen. A digitalHyperlabel Pen can identify the x-y position on a label, and enable alink to be established between the information on the label, and a Webpage on a server. The Hyperlabel Pen connects the customer to anInternet-based Hyperlabel Server through a companion device such as amobile phone or computer.

Using a Hyperlabel Pen to interact with the label, customers can beoffered additional information on drug use, risks and advice onpotential interactions between drugs. It could also provide anopportunity for customers to register for participation in new drugtrials, to enter promotions, to participate in Web chat sessions, or toreceive ‘free’ samples.

Web pages can be customised based on customer profiles, local areahealth data, or by using a range of product supply chain data such asgeographic location.

Hyperlabels therefore make it possible for the pharmaceutical industryto extend the use of product labels and packaging to increase brandstrength, and to establish closer links with customers. Thus, withHyperlabels, the customer can become an integral part of the productsupply chain, and supply chain data can be integrated with customerrelationship management (CRM) or healthcare databases to improve theoverall efficiency and level of service offered to customers.

The following sections highlight how Hyperlabel technology can beimplemented to improve overall brand strength and increase security.

Brand Protection

One of the most important challenges now confronting the pharmaceuticalindustry is brand protection. A strong brand protection strategy iscrucial for the pharmaceutical industry to protect profits and R&Dinvestment, as well as customers. The illegal activities now used bycriminals to erode brand value, and that are of most concern are:

-   -   Parallel trade and illegal imports,    -   Product substitution and counterfeiting, and    -   Product tampering.        Parallel Trade and Illegal Imports

Parallel importation of pharmaceuticals exists where there is asignificant price difference for the same product in different markets.

Pharmaceutical manufacturers are firmly against parallel importation asparallel traders reduce their profits, and manufacturers claim that theywill have less money to spend on R&D. Manufacturers also often expressconcern that parallel imports do not meet international standards onsafety, quality and efficacy, and that they give rise to additionalopportunities for counterfeiting. The distribution by unregulated drugoutlets of expired, contaminated, subpotent, superpotent and counterfeitdrugs is also a significant potential danger to customers. Unregulateddispensers may provide patients with incorrect or contraindicatedmedications, incorrect strengths, or medications without adequatedirections for use. State agencies governing the local pharmaceuticalindustry may not have implemented the appropriate standards andsafeguards to protect the public against such occurrences.

Another concern is that the current outlook for international paralleltrade is one of controversy among governments. For example, prices forthe drug Amoxil (amoxicillin) vary considerably around the world—thecheapest US$8 in Pakistan, and the most expensive US$60 in Germany. Itis therefore now common for drugs like Amoxil to be illegally importedacross international borders to avoid high prices. The U.S. Food andDrug Administration (FDA) estimates that approximately two millionparcels containing FDA-regulated products for personal use enter theUnited States annually through international mail facilities. Othersources estimate that nearly 70 pharmacies in Canada (40 in Manitoba)shipped almost US$500 million dollars worth of prescriptions into theUnited States in 2002. In the United States this year, thepharmaceutical industry's trade group—Pharmaceutical Research andManufacturers of America (PhRMA)—has spent US$8.5 million lobbyingagainst a bill to allow the import of Canadian drugs. Much is thereforeexpected from the World Trade Organization (WTO). The outcome is likelyto be further lobbying by the pharmaceutical industry to the WTO forregulations mandating the introduction of individual item identificationand verification capabilities to overcome differences between nationalgovernments.

Hyperlabels can be used to reduce the possibility of parallel trade andillegal imports by using EPC linked data to determine the origin andsupply chain details for each item.

Product Substitution and Counterfeiting

Counterfeit products may include products with the wrong ingredients,without active ingredients, with insufficient active ingredients, orwith fake packaging. This type of illegal behavior can lead tocompromises in patient safety, and economic loss for established drugmanufacturers.

Although counterfeiting laws and regulations have been in place for thepast 20 years, evidence of counterfeiting is increasing. The FDAestimates that up to 40% of pharmaceuticals shipped from countries suchas Argentina, Colombia, and Mexico may be counterfeit. There is nounified world authority to promulgate investigations, nor a worldtribunal for enforcement. Consequently, pharmaceutical firms themselvesmust augment legal approaches with alternative ones to protect industry,stakeholders, and customers.

Hyperlabels can assist manufacturers by making it easy to recognizenon-authentic product and product tampering. A specific ‘fingerprint’ iscreated for each vial, drum, shipping container, and label. Uniqueidentifiers for every product item coming out of the plant shipping dockcan be used to collect data such as the site of manufacture, the date ofpackaging, storage location and time, distribution path, repackagingdetails, testing and possibly other information. Products might alsoinclude multiple layers of tamper evidence. Therefore, a Hyperlabel itemidentification system can be used to assist the pharmaceutical industryto implement an effective item level tracking and tracing system.

Product Tampering

Today, the pharmaceutical industry is in danger from the threat ofpharmaceutical product tampering. Some of today's biopharmaceuticalproducts cost in excess of $2000-$3000 per gram to produce, and somecriminals (and even pharmacists) are tampering for profit. Sincepharmaceuticals are critical to the social, economic and politicalstability of many nations, they are also vulnerable targets forterrorism. In each case, the lack of ability to determine the actualcountry of origin is of utmost concern.

To address these fears, a range of protection methods are now beingimplemented. These may include seals that need to be removed, featuresthat must be broken, or permanent measures such as color, taste, andfragrance that are part of the product itself. Other tools include codeswhose color spectrum is only visible under UV light or special-codedlabel words/symbols visible only with special viewing devices.

The pharmaceutical industry is also acting to secure the supply chainusing new technology to protect all stakeholders, patients andmanufacturers alike. This also means that Brand protection needs to beapplied at several levels of packaging or containment because everylevel offers a possible introduction point for tampered product, and itcould involve the use of several different methods. The levels fortamper evidence start with the largest unit (the warehouse building) andneed to be applied at each package configuration level, down to the itemlabel and contents. Hyperlabels, when used in parallel with otherproduct brand protection methods, can offer the potential to improvebrand protection at each of these points in the supply chain.

Adding the Customer to the Pharmaceutical Supply Chain

One of the key advantages that Hyperlabel can offer the pharmaceuticalindustry, is the ability to extend the use of labeling to make themWeb-interactive so that customers can become an integral part of thesupply chain.

There are many ways for Web-interactive Hyperlabels to bring benefits tothe pharmaceutical industry. Some of these are to:

-   -   Enable customers to authenticate a product themselves,    -   Protect brand strength through improved market segmentation and        customization,    -   Become more customer-centric by introducing new customer-led        marketing models,    -   Refine the marketing mix by introducing Web-based direct to        customer (DTC) marketing campaigns, and,    -   Differentiate products by using extended label marketing models.        Customer Authentication of Products

While the changing of anti-counterfeit approaches helps manufacturersand regulatory agencies differentiate genuine product from falseproduct, the rapid changes can be confusing to the public. This createsa situation where customers find it difficult to check the authenticityof a product themselves. Using a Hyperlabel Pen, customers can validatean item for themselves, as well as access additional product informationand customer-centric services.

Market Segmentation and Customization

Pharmaceutical markets can be divided into three broad product segments:

-   -   Prescription-only medicines (comprise about 80% of the market by        value, and 50% by volume),    -   Generic branded medicines, and    -   Over the counter medicines (OTCs), which may be purchased        without prescription and may also be branded or generic.

Each of these market segments requires different strategic approaches.Suppliers of branded prescription drugs need to protect R&D efforts.Generic companies focus on supply chain logistics and manufacturingcosts. OTCs are rarely prescribed, and they require direct-to-customer(DTC) marketing methods. In each case, Hyperlabel Web-interactivelabeling makes it possible for the pharmaceutical industry to establisha direct marketing relationship with customers in each segment, and atthe same time it provides an opportunity to improve market segmentation.

Customer-Led Marketing

Most pharmaceutical companies have been product-led rather thancustomer-led. This has probably been a consequence of theunpredictability of the R&D process because it has not been easy todevelop a product to meet specific customer needs. Web-interactivehyperlinks provide customers with an ‘opt in’ method of participating innew customer-led marketing activities. For example, they may makesuggestions about what Web character stickers they want to appear on thepackaging to make a child ‘feel better’.

Web Direct to Customer (DTC) Marketing

Another emerging trend has evolved around the growing importance ofdirect-to-customer (DTC) advertising. As a medium, DTC TV advertisingwas one of factors responsible for increasing sales in the USpharmaceutical market during the 1990s. Although the EU does not yetallow DTC advertising of pharmaceuticals, customers can access productinformation on the Web. In the year 2000, health was one of the top 2reasons for people to conduct Web searches. With many customers nowusing the Internet as a productive source of health-related information,more pharmaceutical suppliers are using the Web as a DTC advertisingmedium.

Extended Label Marketing Models

With 70% of purchasing choices made at the point of sale, marketers canbuild brand recognition and drive sales with packaging that makes animmediate impact on customers. Because of this, pharmaceutical companiesnow spend more on packaging than they do on advertising. As markets havematured and competitive differentiation has narrowed, packaging hasbecome a very important component of marketing strategy.

A product's package is often its most distinctive marketing effort, andit performs a number of essential functions: The package provides ameans of communicating with the customer. However, as regulationsrequire more information to be placed on labels, while there is also atrend for packaging to ‘shrink’, the use of the space available becomesmore important. Barcodes take up some of this space. By using invisibleWeb-interactive Hyperlabels, the pharmaceutical industry can conceive arange of extended label marketing models. For example, they can includehyperlinks to a Web page to request SMS reminders to take medicines,enter competitions, reorder goods, or to access support services.

Thus, there are many ways for Web-interactive Hyperlabels to bringbenefits to the manufacturer, and to improve market acceptance of apharmaceutical product.

Hyperlabel Benefits Analysis Matrix

From the conclusions drawn in the preceding sections it is evident thatHyperlabels present a unique opportunity for the pharmaceutical industryto introduce a long term, low cost, unique item identification solutionthat has significant advantages over alternative technologies.

A summary of the comparative advantages of Hyperlabels over 2D opticalbarcodes, and RFID tags is provided in Table 12. The range of benefitsthese advantages can deliver to the pharmaceutical industry include:

-   -   Meet current and anticipated statutory requirements,    -   Protect expensive R&D investment,    -   Limit business and customer risk through criminal and terrorist        activity,    -   Reduce parallel trade and illegal imports,    -   Reduce substitution and counterfeiting,    -   Prevent product tampering,    -   Establish Web links between the industry and customers (via        Hyperlabels), and    -   Improve pharmaceutical supply chain logistics and efficiency.

It is also clear that unique product identification, and track and tracecapabilities are the foundation stones for achieving the above goals.TABLE 12 2D RFID/ REQUIREMENTS BARCODES EPC HYPERLABEL REGULATORY Meetscurrent FDA standards for food, ℏ ℏ ℏ drug and cosmetic labeling. MeetsWHO/FDA track and trace ℏ ℏ ℏ guidelines for deterring and detectingcounterfeit drugs. PACKAGING Provides a new revenue stream for X X ℏMANUFACTURER existing packaging substrates. CUSTOMER Providescustomer-centered ‘opt-in’ X X ℏ Web interactivity for specific productitems and special offers. Provides a solution that is acceptable to ℏ Xℏ privacy advocates concerned about the ability to read tags without thecustomer knowledge. PHARMACEUTICAL Low cost to produce. ℏ X ℏ INDUSTRYOmnidirectional reading. X ℏ ℏ Unobtrusive to customer. X ℏ ℏ Individualproduct item identification. ℏ ℏ ℏ Introduce new customer-centric X X ℏmarketing models based on Web-label interactivity. Can be used withradiopaque materials. ℏ X ℏ

1. A method of producing pharmaceutical product packaging, wherein themethod includes, in a computer system: determining a serial numberassociated with a pharmaceutical product; generating, using the serialnumber, an identity; generating, using the identity, a signature, thesignature being a digital signature of at least part of the identity;causing generation of coded data using the identity, the coded dataincluding a number of coded data portions, each coded data portionencoding the identity; and, at least part of the signature causingprinting of, on the pharmaceutical product packaging: at least somecoded data, and at least one of: the identity; and, the serial number.2. A method according to claim 1, wherein the identity is formed atleast in part from at least one of: a serial number of thepharmaceutical product; an identity of the pharmaceutical product; anEPC; an identity of the packaging; and, an identity of a region of thepackaging.
 3. A method according to claim 1, wherein the methodincludes, encoding the entire signature within a plurality of coded dataportions.
 4. A method according to claim 1, wherein the method includes:determining visible information relating to the pharmaceutical product;determining a description, the description describing a layout of thevisible information; recording an association between the identity andthe layout; and, causing printing of the packaging using the layout. 5.A method according to claim 4, wherein the description is indicative ofat least one action associated with the pharmaceutical product, theaction including at least one of: providing information to a user;updating tracking information relating to the pharmaceutical product;performing a transaction relating to the pharmaceutical product;authenticating the pharmaceutical product; and, receiving feedback fromthe user.
 6. A method according to claim 1, wherein the method includes,in the computer system, communicating with a database, the databasestoring data relating the pharmaceutical product, including at least oneof: authentication data, including at least a key associated with asignature, the signature being a digital signature of at least part ofthe identity; tracking data, the tracking data being at least partiallyindicative of tracking information including at least one of: an ownerof the pharmaceutical product; one or more transactions performed usingthe pharmaceutical product; a location of the pharmaceutical product;and, a location of the sensing device; and, product data, the productdata being at least partially indicative of product informationincluding at least one of: a product cost; a patient identifier; a useridentifier; an owner identifier; manufacture date; batch number; productmanufacturer; product distributor; product supplier; issue country;ingredients; storage conditions; disposal conditions; serial number;expiry date; effects; side-effects; conditions for use; instructions foruse; links to further information; contra-indications; and, dosage.
 7. Amethod according to claim 6, wherein the method includes, in thecomputer system: updating at least some of the data relating to thepharmaceutical product; and, generating the coded data using at leastsome of the data relating to the pharmaceutical product.
 8. A methodaccording to claim 1, wherein the method includes, in the computersystem, receiving from a scanning system, in response to scanning of thepackaging, information indicative of at least one of: a source of thepharmaceutical product; a pharmaceutical product type; the identity ofthe pharmaceutical product; and, the serial number of the pharmaceuticalproduct; and,
 9. A method according to claim 1, wherein the coded datais indicative of a plurality of reference points such that sensing of atleast one coded data portion, by a sensing device, allows fordetermination of at least one of: the identity; at least one signaturepart; a position of the sensing device relative to the packaging; and,movement of the sensing device relative to the packaging.
 10. A methodaccording to claim 1, wherein the identity is formed at least in partfrom at least one of: a coded data portion identity; an identity of thepharmaceutical product; an EPC; an identity of the packaging; and, anidentity of a region of the packaging.
 11. A method according to claim1, wherein packaging includes at least one of: a blister pack; a bottle;a bottle lid; a label; a box; and, a leaflet.
 12. A method according toclaim 1, wherein the coded data is substantially invisible to an unaidedhuman.
 13. A method according to claim 1, wherein the coded data isprinted on the surface using at least one of: an invisible ink; and, aninfrared-absorptive ink.
 14. A method according to claim 1, wherein thecoded data is provided substantially coincident with visiblehuman-readable information.
 15. A method according to claim 1, whereinthe coded includes a number of coded data portions, and wherein at leastsome of the coded data portions encode at least one of: a location ofthe respective coded data portion; a position of the respective codeddata portion on the surface; a size of the coded data portions; asignature part; a size of a signature; an identity of a signature part;units of indicated locations; and, at least part of a data object, theentire data object being encoded at least once by a plurality of codeddata portions.
 16. A method according to claim 15, wherein the dataobject includes at least one of: Multipurpose Internet Mail Extensions(MIME) data; text data; image data; audio data; video data; applicationdata; contact data; information; business card data; and, directorydata.
 17. A method according to claim 1, wherein the coded data includesat least one of: redundant data; data allowing error correction;Reed-Solomon data; and, Cyclic Redundancy Check (CRC) data.
 18. A methodaccording to claim 1, wherein the digital signature includes at leastone of: a random number associated with the identity; a keyed hash of atleast the identity; a keyed hash of at least the identity produced usinga private key, and verifiable using a corresponding public key;cipher-text produced by encrypting at least the identity; cipher-textproduced by encrypting at least the identity and a random number; and,cipher-text produced using a private key, and verifiable using acorresponding public key.
 19. A method according to claim 1, wherein thecoded data is arranged in accordance with at least one layout havingn-fold rotational symmetry, where n is at least two, the layoutincluding n identical sub-layouts rotated 1/n revolutions apart about acentre of rotation, at least one sub-layout includingrotation-indicating data that distinguishes that sub-layout from eachother sub-layout.
 20. A method according to claim 1, wherein the codeddata is arranged in accordance with at least one layout having n-foldrotational symmetry, where n is at least two, the layout encodingorientation-indicating data comprising a sequence of an integer multiplem of n symbols, where m is one or more, each encoded symbol beingdistributed at n locations about a centre of rotational symmetry of thelayout such that decoding the symbols at each of the n orientations ofthe layout produces n representations of the orientation-indicatingdata, each representation comprising a different cyclic shift of theorientation-indicating data and being indicative of the degree ofrotation of the layout.